Understanding npm Developers' Practices, Challenges ...

We examined developers’ understanding of security risks, the practices and tools they use, the barriers to stronger security measures, and their suggestions for improving the npm ecosystem’s security. Method: We conducted an online survey with 75 npm package developers and undertook a mixed-methods approach to analyzing their responses. Results: While developers prioritize security, they perceive their packages as only moderately secure, with concerns about supply chain attacks, dependency vulnerabilities, and malicious code. Only 40% are satisfied with the current npm security tools due to issues such as alert fatigue. Automated methods such as two-factor authentication and npm audit are favored over code reviews. Many drop dependencies due to abandonment or vulnerabilities, and typically respond to vulnerabilities in their packages by quickly releasing patches. Key barriers include time constraints and high false-positive rates. … The findings revealed that supply chain attacks ranked as the main concern, followed closely by dependency vulnerabilities and malicious code injection, which are ranked second and third, respectively. In addition, the two top-ranked threats received very similar scores, indicating a high level of concern among developers. Next, respondents were presented with an optional free-text response question (#12) to specify other areas they perceive as significant security threats to npm packages. ... The themes identified are: … - • Security Tool Issues. The primary concern is alert fatigue caused by “too much noise” in security notifications, where the volume of alerts can make it difficult to identify and prioritize genuine security threats. - • Ecosystem Fragmentation. Ensuring support for multiple package managers (e.g., npm, pnpm, yarn) and JavaScript runtimes (e.g., Node, Deno, Bun) can make package maintenance challenging, which can distract developers from security concerns. … - • Tool Noise and Alert Fatigue. Respondents complained that security scanners generate too many false positives or contextually irrelevant warnings, as one respondent noted, “The security scanning system in npm is a complete joke and more of a nuisance than anything. 99% of the “vulnerabilities” are idiotic and not worthy of a real CVE.” These excessive or low-value alerts may be counterproductive, as they divert developers from conducting meaningful work. As another remarked, “way to noising and causing lots of work for maintainers.” … Summary for RQ1. Developers viewed security as important and essential, yet most rate their own packages only “Somewhat Secure.” The primary security concerns include supply chain attacks, dependency vulnerabilities, and malicious code injection. Only 40% of developers are satisfied with the current security tools for npm packages. Common issues include alert fatigue, feature gaps, and a lack of awareness about available tools. … As shown in Table 7, respondents most frequently cited time constraints as a key barrier (49 responses; 26.2%). Other notable challenges included difficulty keeping up with security updates and emerging threats (33; 17.6%) and the complexity of managing dependencies (23; 12.3%). Insufficient community support was the least cited issue, reported by only 11 respondents. In addition, security testing and balance of security with other quality attributes each received 14 responses. On average, respondents selected approximately three distinct challenges, underscoring that obstacles are multifaceted rather than isolated. … At the tool level (Table 8), the obstacle most frequently reported was a high false-positive rate in security scans (35 responses; 30.2%), followed by inaccurate vulnerability detection and limited automation for dependency management. The least reported issue was integration difficulties with CI/CD pipelines (7 responses). Comments in the “Other” category included licensing constraints, overreliance on dependencies, and tools limited to static analysis. … Summary for RQ3. Time constraints are the most frequently cited barrier to secure package development, with other challenges including difficulties in keeping up with security updates and managing dependencies. At the tool level, a high false-positive rate in security scans was the most frequently reported issue, while CI/CD integration issues are comparatively rare. … Supply Chain Vulnerabilities and Ecosystem Fragility. Our findings confirm that supply chain attacks and dependency vulnerabilities are developers’ primary concerns in the npm ecosystem, with free-text responses describing trust issues with maintainers, unmaintained dependencies, and risky post-install scripts. These results align with broader research showing that attackers exploit three main vectors: injecting vulnerabilities into dependencies, compromising build infrastructure, and targeting developers through social engineering (Williams et al., 2025). Addressing these issues necessitates better auditing tools, registry monitoring, and enhanced governance and community practices for secure maintenance. Dependency Problems and Discontinuation Decisions. There is notable variability in dependency update practices among developers: some adopt proactive, automated strategies, while others never update dependencies unless prompted by external events. This variability increases systemic risk, as outdated and abandoned dependencies persist in the ecosystem. When developers do discontinue dependencies, the most frequent drivers are package abandonment and unpatched vulnerabilities, further highlighting the fragility of the dependency network.