In July 2024 alone, npm blocked 1.4 million malicious package attempts — that’s roughly one every 20 seconds, around the clock.
Nicholas Zakas knows this turf intimately. As ESLint’s creator and long-time maintainer, he’s stared down JavaScript’s underbelly for years. On a recent Changelog podcast, he dismantles GitHub’s response to npm’s endless insecurity saga. It’s not just griping; it’s a blueprint for why the world’s biggest package registry feels like a ticking bomb.
Look, npm powers 80% of Node.js projects. Billions of downloads. Yet breaches keep piling up — think XZ Utils vibes, but for every dev’s CI/CD pipeline.
GitHub’s ‘Trusted Publishing’ — Smoke and Mirrors?
Zakas zeros in on GitHub’s big pitch: trusted publishing. Sounds solid, right? Prove you’re legit, get a green checkmark, publish away.
But here’s the rub — or rather, the giant hole. It doesn’t touch post-publish. Malicious code slips in after verification. No runtime checks. No ongoing audits.
“Trusted publishing is table stakes. It’s the bare minimum. What they’re not doing is the hard part.” — Nicholas Zakas on Changelog
He pushes for pre- and post-install hooks. Scan every package on install, block the bad stuff before it runs. Simple? Not for GitHub, apparently.
And staffing? npm’s registry runs on a skeleton crew. Zakas guesses 5-10 engineers total. For a registry handling 2 billion downloads weekly. Compare that to PyPI’s 50+ or Cargo’s focused team. Neglect.
Incentives misaligned, too. GitHub owns npm since 2021, but Microsoft’s empire prioritizes Copilot hype over registry grunt work. Profit chases stars, not security.
One paragraph. Boom.
Zakas paints npm as one breach from catastrophe. Remember SolarWinds? Multiply by JavaScript’s sprawl. Supply chain Armageddon.
He’s blunt on alternatives. JSR? Flashy TypeScript push, but tiny ecosystem, same old publishing flaws. VLT? Niche. No escape hatch.
Here’s my take — the one Zakas doesn’t spell out: this echoes PHP’s Composer wars a decade ago. Back then, after endless hijacks, they mandated PGP signatures and two-factor auth. npm could copy-paste that playbook, but won’t. Why? Lock-in. Devs are hooked; friction kills migration.
Bold prediction: Anthropic’s rumored registry — AI-first, locked-down — flips the script. If Claude’s team builds it secure-by-default, JS devs bolt. npm becomes legacy cruft.
Why Aren’t Pre/Post-Install Hooks Standard Yet?
Hooks. They’re the missing link.
Pre-install: Vet code statically. Malware sigs, obfuscation detectors. Post-install: Sandbox execution, monitor syscalls. Tools exist — Socket, Snyk — but npm ignores ‘em.
Zakas wants verified publishers expanded. Tie to GitHub orgs, require multi-sig releases. Other ecosystems nail this: RubyGems mandates OTP; NuGet gates enterprise pubs.
npm? Optional everything. “Prudent?” Zakas hedges. For now, yes — but audit your deps. Sigstore for signing. No trust, verify.
Profit’s the villain. Registries monetize volume, not safety. GitHub charges enterprises for Copilot, not npm shields. Cool factor trumps caution; who’s the hip kid forking a secure npm fork?
Wander a bit: I dug into npm’s changelog. Post-acquisition, security posts? Sparse. Meanwhile, JSConf talks glow about Deno’s native security. Shift brewing.
Is npm Still Safe Enough for Production?
Short answer: Barely.
Zakas advises caution. Mirror your own registry for critical deps. Use tools like npm audit, but they’re bandaids.
Historical parallel I see: Heartbleed shattered OpenSSL trust. npm’s OpenSSL. One zero-day, and Node.js grinds to halt.
GitHub’s PR spin calls these ‘investments.’ Bull. Table stakes, as Zakas says.
Other langs do better. Go modules: Proxies all downloads, checksums mandatory. Swift Package Manager: Git-backed, no central weak point. npm? Centralized honeypot.
Zakas’ work now? Pushing JS standards, eyeing better tools. Connect via his site — he’s the voice we need.
AI angle sneaks in: Not hype — agents pulling unvetted npm pkgs? Nightmare fuel.
npm security hangs by threads. GitHub, step up — or watch the exodus.
🧬 Related Insights
- Read more: 32% of Web Traffic Is Bots — And AI’s Wrecking Caches for Everyone Else
- Read more: 30,000 Users No Sweat: Cloudflare One’s Phased Escape from VPN Hell
Frequently Asked Questions
What is trusted publishing in npm?
GitHub’s feature verifying publisher identity before upload, but it skips code review or post-publish monitoring — leaving supply chain risks wide open.
Is npm secure enough for enterprise use?
Marginally, if you audit deps and use tools like Sigstore; but for high-stakes apps, mirror critical packages or explore alternatives like Deno.
Why hasn’t GitHub fixed npm’s pre/post-install vulnerabilities?
Misaligned incentives — they prioritize flashy AI tools over registry drudgery, running npm on a tiny team.
