re: How do we improve security in the npm ecosystem? VIEW POST


I think there are a lot of facets to this, but I think it would be interesting if there were a crowdsourced auditing/vetting system associated with package ecosystems. Auditing is yet another way people can contribute to open source, and it's something a lot of us are doing anyway. Here's how I imagine it would work:

  • New package X is published to npm/pypi/etc - version 1.0.0
  • Prospective auditors would see X/1.0.0 show up as having 0 (or few) audits, and they check out the code, inspect it for flaws, etc
  • If the code passes inspection, each auditor would sign off on the version - not just the package + version, but the code checksum or signature that npm/pip/etc could verify upon install.
  • npm/pip/etc would be configured to only install modules that have passed N audits, or have been audited by certain trusted individuals, web-of-trust style
  • A few months later, package X is updated - version 1.0.1. X/1.0.1 re-enters the queue, and is open for audits - the cycle begins anew

Individuals or organizations could stand up their own installations of this auditing management tool, so that a user could make sure they sign off on code entering their own system, or a company could make sure new or updated dependencies are audited and use this tool to manage that. Who knows - maybe you could attach a bounty to audit a module (who knows how the auditor would prove they did the work, though)!

Obviously the value of the audit is only as good as much as you trust your auditors, - maybe it would just be pushing things back until things like voting ring attacks pop up around this auditing infrastructure - but it would be a start.


I can imagine an automated audit which might be useful. To ensure that the minified version of a package is the same as the normal version. Setting an easy way for anyone to verify this change sounds straight-forward, although perhaps not easy.

I see a direct parallel between trusting binaries and trusting minified source. For those who are not familiar with Ken Thompson's paper "Reflections on Trusting Trust", I highly recommend reading it:

Reflections on Trusting Trust
Ken Thompson
Communication of the ACM, Vol. 27, No. 8, August 1984

code of conduct - report abuse