npm Blog (Archive)

The npm blog has been discontinued.

Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog.

New Security Insights API: Sneak Peek

Something I think is very important to supply chain security is to have the right information available to make decisions about risk. Existing security tools currently report known vulnerabilities at the tail end of a long disclosure process. We’re looking to improve the status quo by providing visibility into more of the supply chain, not just its end products.

Our first step in that effort is to start sharing information that npm is privileged to have due to its position in the publishing pipeline.

Over the next few blog posts I’ll be sharing previews of an API that the npm security team has been developing. Its working title has been the npm Insights API and we’re going to use it to get the information that we have available to us into your hands.

The first part of the API I’d like to show is the PublicationInfo schema. This GraphQL schema allows us to see some important pieces of information about the publication context of a particular package: whether the package was published with 2FA enabled (which is a good sign: they had to provide a second factor during npm publish) and if it was published over the Tor anonymity network (which is a potential red flag).

type PublicationInfo {
  username: String
  created: String
  tor: Boolean
  tfa: Boolean
}

If we wanted to look up the publication information for pg version 7.12.0 the query might look like:

query {
  package(name: "pg", version: "7.12.0") {
    publicationInfo {
      username
      tor
      tfa
    }
  }
}

The result would show us that indeed pg@7.12.0 was published with 2FA enabled and that it was not likely published over tor:

{
  "data": {
    "package": {
      "publicationInfo": {
        "username": "brianc",
        "tor": false,
        "tfa": true
      }
    }
  }
}

In the next few posts we’ll get into deep package integrity, malware indicators of compromise, and behavioral analysis at runtime. If you made it this far that probably got your attention, so keep watching this space as we progress in our adventure to bring you deep insights about the packages you’re using.