The Biggest Risk With Using NPM
If you’re a JavaScript developer, then you have used the popular package manger npm at some point in your career.
NPM makes installing, updating and managing libraries and dependencies super easy with just a few basic commands that pretty much anyone can remember.
I personally use it all the time for my full-stack JavaScript applications. And, aside from bloating my project file sizes without my awareness sometimes, I haven’t faced any serious issues. At least not yet.
But that’s not to say that there aren’t any issues to be had. Because at some level, all software contains vulnerabilities.
Just recently, two popular npm libraries became the talk of the town when they were, seemingly, corrupted by their very own creator. Faker.js is a utility library used by millions of programmers that essentially generates dummy data for testing purposes. Colors.js is a library that lets you add color and style to your console window.
Both libraries aren’t vital for any production process that a programmer may have. But they do make development easier, and the cost of installation is relatively low.
More importantly though, both libraries are extremely popular on npm. Faker.js receives around 2.8 million downloads per week, while colors.js gets a whopping 25.8 million weekly…