Aqua Security, a security research company, has collected statistics on the top 50,000 packages on npm. After analyzing the data, they found that 8.2% of these packages are officially deprecated. This means that the package developers have clearly announced that these packages are outdated.
However, if we consider other packages that may not be officially deprecated but are in a similar state, such as repositories on GitHub being archived or deleted while the packages still exist on npm, or packages that have no links to their source repositories, the proportion of unusable and deprecated packages increases to 21% or roughly 1/5 of all packages.
Aqua Security points out that these deprecated packages pose security risks because developers no longer patch vulnerabilities, even if they have been reported. Therefore, organizations should establish policies on which packages should no longer be used. Aqua Security has also developed a tool, Dependency Deprecation Checker, to help identify these packages.
The issue of package vulnerabilities on npm has been discussed more frequently recently. Even GitHub has implemented various measures to enhance security, such as requiring developers to login with 2FA to prevent malware injection into packages.
TLDR: Aqua Security analyzed the top 50,000 packages on npm and found that 8.2% are officially deprecated. Including packages in similar states, the proportion of unusable and deprecated packages increases to 21%. These packages pose security risks as developers no longer patch vulnerabilities. Organizations should establish policies to discontinue the use of such packages. Aqua Security has developed the Dependency Deprecation Checker tool to assist with identifying these packages. GitHub has also implemented security measures to enhance package security.
Leave a Comment