Security warnings in ‘npm audit’ are distracting developers

Get a free Techzine subscription!

Dan Abramov, a software engineer at Facebook published a plea last week to fix a particularly problematic JavaScript security tool. Its creators agreed that it could be improved. In his blog post, Abramov said that ‘as of today, npm audit is a stain on the entire npm ecosystem.’

He added that the best time to fix it would have been before it rolled out as the default mode. The next best time to fix it, he said, is now.

Abramov says that 99% of vulnerabilities flagged by the command are false alarms in common usage applications.

Users agree

Many npm users have expressed the same sentiments. More than 10 years ago, Isaac Schlueter created the npm package manager and co-founded a company of the same name that later got absorbed into GitHub.

In April 2018, npm version 6 finally arrived, with the audit command, because security in the npm ecosystem had to be taken seriously at the point.

JavaScript developers using npm could type in npm audit and get an analysis of their projects’ dependency tree (the intertwined libraries imported into the project to avoid rewriting existing functions afresh.)

Too much

The problem with the npm audit is that it overcorrected. A few years ago, JavaScript developers had to contend with security problems blindsiding them, as the npm runs its audit automatically, every time an ‘npm install’ command is executed.

Often, it brings up a deluge of vulnerability advisories that may not be easily fixable and therefore are not relevant.

The situation is unavoidable to some extent. However, Abramov says that the npm audit produces security warnings in contests where the risks are not a real concern and the alert overload doesn’t help. The original npm crew agrees with him on this.