CJ is CTO of NPM, Inc., where Node's primary repository of open source modules is created. This is a liveblog, bear with me as I try to keep up and be mostly accurate. — Tom
npm dependably serves node packages 24/7 to many fortune 100 companies and the rest of us. 3 billion downloads a week! 9 million users! 156,000 package authors (1.7% of the total users)!
The very first version of npm didn't even have password protection because Isaac knew everybody who might conceivably publish a package.
Now we're doing so much more, but we need the policing. You need to know you can rely on the packages you are installing.
Is the registry secure?
Does the package have vulnerabilities?
Is the package malware to begin with?
Who published this, can I trust it?
What does a secure registry mean?
Can't be broken into.
Data can't be tampered with.
We don't try to do this alone, we have an ongoing security audit contract with ^Lift, "which I like to pronounce hat-lift." They do periodic penetration testing and ongoing code reviews.
This gives them a bit of confidence and should give you confidence. Good security is ongoing work, not a checkbox, not a one-time audit.
Does this package have vulnerabilities?
The answer is usually yes. Unintentional problems maintainers would fix if they knew about it.
Again, ^Lift helps with the Node Security Platform, reviewing popular packages and reporting vulnerabilities and handling reports. npm is one of the consumers of that database.
Is this package malware?
Spam content: publishing packages just for SEO juice. And NPM's CDNs create a free hosting platform for spam! They use machine learning to catch spam. And they have speedbumps now such as validated email addresses.
"We seem to have made a dent but this war will never end. The Internet can't have nice things"
Poision-flavored malware: typo-squatting! Publishign packages with very similar names that do malicious stuff. At first this was a competitive tactic to pump up download counts. For instance momentjs had a typo-squatting competitor.
Also comes up accidentally: JSONStream and jsonstream are separate packages. 😱 They don't allow it anymore but have to maintain bc.
Recently has become malicious: bluebird has a punctuation variant that wraps it with a cryptocoin miner!
It takes weeks for the community to find these, if they are found at all. "With great popularity comes great annoyance." — Spiderman
An automated similarity checker has been implemented. This flags things for human attention.
Who published this package?
What happens if somebody steals JDD's auth token and posts malware as the extremely popular lodash package? That's scary. Very sensitive data.
New, as of today: the npm cli has tokens to help manage auth tokens. npm token
npm token create --readonly
So you can't publish with that token. Give your CI system a read-only token. [When do you need a token at all for read-only use? Private modules? -Tom]
npm token create --cidr=[10.0.0.1/32]
Bind a token to a range of IPs so it's no good from outside your company. [Not perfect, but could slow somebody down]
npm token list
npm token delete <tokenKey>
Get rid of what you're not using. [Maybe zap 'em all and log in again.]
Set your profile data, like your email address... and turn on two-factor authentication!
npm profile enable-2fa
Requires a regular password plus a one-time password for things like logging in or creating tokens.
npm profile enable-2fa auth-and-writes
You can also protect a specific package with two-factor auth, so that anytime that package is published by anybody, two-factor auth is required.
"I've wanted two-factor auth since the very first day I worked at NPM. Now we've finally shipped it. Now I want to deliver package signing. We think we've figured out how to do it in the next year without slowing package installs to a crawl."
"Come see me & literal actual puppies at the npm booth. We want you to develop in confidence. You type 'npm install' thoughtlessly a thousand times a day. You think of npm as the command line tool, not even realizing most of the company is about running the registry. We want you to feel that way. We want to be boring, reliable and trustworthy."