Nicholas C. Zakas on Securing npm and GitHub's Response

npm Security Vulnerabilities and Attacks

• ⚠️ In September alone, 500 npm packages were compromised, often through credential theft and the publishing of malicious code via pre/post-install scripts.
• 🎯 Attacks aim to steal crypto, exfiltrate secrets, or propagate further, with a growing concern that more damaging attacks are being tested.
• 🔑 Maintainers of high-download packages like ESLint (200M+ downloads/month) face constant scrutiny from suspicious pull requests, acting as potential targets for malicious actors.

GitHub's npm Security Response

• ⚙️ GitHub's recent changes, like fine-grained tokens and limited token lifetimes (90 days), are seen as pushing more responsibility onto maintainers.
• 🔐 The introduction of Trusted Publishing via OpenID Connect in GitHub Actions aims to eliminate stored tokens but lacks two-factor authentication, leading the OpenJS Foundation to recommend against its use for critical packages.
• 🚧 Implementing these changes, especially for maintainers managing numerous packages, has been a significant burden due to the lack of batch operations and tools.

Limitations of Trusted Publishing and npm's Infrastructure

• 🌐 Trusted Publishing is primarily beneficial for GitHub/GitLab users, excluding companies using other platforms for their repositories.
• 💳 The analogy of credit card security is used: while npm implements validation measures, it lacks proactive anomaly detection to identify suspicious activity in real-time.
• 📉 npm, Inc. faced significant costs running the registry, leading to its acquisition by GitHub, which may lack the revenue incentive to invest heavily in its security and infrastructure.

Alternatives and Future of npm

• 🚀 Alternatives like JSR (Deno's package registry) showed promise with built-in security features but ultimately suffered from similar abandonment issues and compatibility problems with the npm ecosystem.
• 🚫 JSR's decision to disallow pre/post-install scripts, while safer, eliminates support for native compiled packages, a crucial aspect for many npm packages.
• 💡 Volt is mentioned as a tooling initiative rather than a registry, and its development also appears to be slow-moving.

Pre/Post-Install Scripts and Security Measures

• 🛠️ Pre/post-install scripts, originally useful for internal systems like Yahoo's Yinst, pose a significant risk in a public registry like npm, allowing execution of arbitrary code.
• 🚫 While disabling these scripts is an option, it can break legitimate package functionality, especially for native modules requiring compilation.
• 📈 Proposed solutions include forcing major version bumps for packages adding these scripts, increased scrutiny during the publish process, and verified publisher programs.

The Challenge of npm's Scale and Governance

• 🌐 The sheer scale of npm (3.1 million packages) makes migration to alternatives extremely difficult, creating significant inertia.
• 💸 JavaScript registries are not inherently profitable, leading to challenges for for-profit businesses and startups like npm, Inc. and potentially JSR.
• 🤝 Other ecosystems (Ruby, Rust, Python) often rely on foundations or non-profits funded by donations and sponsorships, a model that npm's for-profit business trajectory diverged from.

AI and Developer Productivity

• ⚡ AI is presented not as hype but as a significant productivity booster, enabling a 10x improvement in code generation for tasks like maintaining ESLint.
• 🚀 Developers are encouraged to embrace AI in 2026 for increased efficiency, especially when working across multiple projects.