Understanding npm Developers' Practices, Challenges, and Recommendations for Secure Package Development

TL;DR

This study explores npm developers' security practices, perceptions, and challenges, revealing moderate security levels, reliance on automated tools, and a need for better detection, education, and account protections to enhance ecosystem security.

Contribution

It provides empirical insights into npm developers' security perceptions, practices, barriers, and suggestions, highlighting areas for improvement in npm security tools and education.

Findings

Developers perceive their packages as only moderately secure.

Automated security tools are preferred over manual code reviews.

Key barriers include time constraints and false positives.

Abstract

Background: The Node Package Manager (npm) ecosystem plays a vital role in modern software development by providing a vast repository of packages and tools that developers can use to implement their software systems. However, recent vulnerabilities in third-party packages have led to serious security breaches, compromising the integrity of applications that depend on them. Objective: This study investigates how npm package developers perceive and handle security in their work. We examined developers' understanding of security risks, the practices and tools they use, the barriers to stronger security measures, and their suggestions for improving the npm ecosystem's security. Method: We conducted an online survey with 75 npm package developers and undertook a mixed-methods approach to analyzing their responses. Results: While developers prioritize security, they perceive their packages as only moderately secure, with concerns about supply chain attacks, dependency vulnerabilities, and malicious code. Only 40% are satisfied with the current npm security tools due to issues such as alert fatigue. Automated methods such as two-factor authentication and npm audit are favored over code reviews. Many drop dependencies due to abandonment or vulnerabilities, and typically respond to vulnerabilities in their packages by quickly releasing patches. Key barriers include time constraints and high false-positive rates. To improve npm security, developers seek better detection tools, clearer documentation, stronger account protections, and more education initiatives. Conclusion: Our findings will benefit npm package contributors and maintainers by highlighting prevalent security challenges and promoting discussions on best practices to strengthen security and trustworthiness within the npm landscape.