Safety in Node.js: NodeSource to certify NPM modules

NodeSource is curating JavaScript packages for security, dependencies

Safety in Node.js: NodeSource to certify NPM modules
Paul Keller (CC BY 2.0)

NodeSource's Certified Modules service, intended to ensure the safety of NPM modules, becomes generally available on Thursday.

Previously available only in a private beta stage, the service for Node.js was developed to address concerns over issues like security, licensing, and dependencies among the JavaScript modules. Dependencies became a major sticking point last year when removal of one package from the public NPM registry resulted in others failing.

The company is curating all NPM packages in the registry, including different versions of these packages, and will let users know which are OK to use. Users can whitelist modules that do not meet certification criteria, such as not having a permissive license requirements.

NodeSource offers a scoring algorithm for its certification process, checking aspects like licenses, security vulnerabilities, and code quality. Factors like packages being unnecessarily large or having weak document would weaken a score, and a known security vulnerability or a nonpermissive license would prevent certification. Certified Modules will be a fee-based service, with the price starting at $1,000 per month for up to 50 users. Accessing the service requires changing a line in the user's NPM configuration. Users get their own registry of modules, which will automatically be checked going forward.

Copyright © 2017 IDG Communications, Inc.

How to choose a low-code development platform