Understanding npm Developers' Practices, Challenges, and Recommendations for Secure Package Development

a mixed-methods approach to analyzing their responses. Results: While developers prioritize security, they perceive their packages as only moderately secure, with concerns about supply chain attacks, dependency vulnerabilities, and malicious code. Only 40% are satis- fied with the current npm security tools due to issues such as alert fatigue. Automated methods such as two-factor authentication and npm audit are favored over code reviews. Many drop dependen- cies due to abandonment or vulnerabilities, and typically respond to vulnerabilities in their packages by quickly releasing patches. Key barriers include time constraints and high false-positive rates. To improve npm security, developers seek better detection tools, clearer documentation, stronger account protections, and more … age developers utilize security tools, identifying common and rare practices, gaps hindering adoption, deviations from guidelines, and practices needing redesign or better advocacy. RQ3: What barriers hinder the secure development and main- tenance of npm packages? ... age abandonment, popularity, dependency structures, or contribu- tion practices. In addition, we examine not only developers’ security perceptions but also the concrete practices, tools, and barriers they face when building and maintaining secure npm packages. Beyond confirming the fragilities of the npm ecosystem, our findings re- … main concern, followed closely by dependency vulnerabilities and malicious code injection, which are ranked second and third, re- spectively. In addition, the two top-ranked threats received very similar scores, indicating a high level of concern among developers. Next, respondents were presented with an optional free-text response question (#12) to specify other areas they perceive as sig- nificant security threats to npm packages. We received 12 responses to this question, and a thematic analysis of their responses revealed concerns related to both technical vulnerabilities and human factors. The themes identified are: • Developer Security Knowledge Deficit. Gaps in security edu- cation can lead to unsafe practices (e.g., “many people are doing … caused by “too much noise” in security notifications, where the volume of alerts can make it difficult to identify and prioritize genuine security threats. • Ecosystem Fragmentation. Ensuring support for multiple pack- age managers (e.g., npm, pnpm, yarn) and JavaScript runtimes (e.g., Node, Deno, Bun) can make package maintenance challeng- … • Package Maintainer Trust. Respondents expressed concerns regarding package maintainers, including those who intention- ally insert malicious code, as well as those whose behavior might not be malicious but still creates security risks (e.g., “drunk, or crazy package maintainers”). • Dependency Freshness Challenges. Widely used but unmain- … being unclear. Some of the key reasons for dissatisfaction include: • Tool Noise and Alert Fatigue. Respondents complained that security scanners generate too many false positives or contextu- ally irrelevant warnings, as one respondent noted, “The security scanning system in npm is a complete joke and more of a nuisance than anything. 99% of the “vulnerabilities” are idiotic and not wor- … mon coding mistakes or patterns that lead to vulnerabilities. For instance, one participant highlighted the absence of “common mistake scanning (pattern matching, etc.),” while another criticized that “tooling feels primitive and buggy.” • Limited Tool Awareness. Some respondents admitted that they lacked knowledge about available tools, with responses like “Do … dependency vulnerabilities, and malicious code injection. Only 40% of developers are satisfied with the current security tools for npm packages. Common issues include alert fatigue, feature gaps, and a lack of awareness about available tools. 4.2 RQ2: What security practices and tools do npm developers leverage in building and … As shown in Table 7, respondents most frequently cited time constraints as a key barrier (49 responses; 26.2%). Other notable challenges included difficulty keeping up with security updates and emerging threats (33; 17.6%) and the complexity of managing dependencies (23; 12.3%). Insufficient community support was the … Difficulty keeping up with security updates and threats 33 17.65% Complexity of managing dependencies 23 12.30% Lack of awareness or understanding of se- curity best practices 19 10.16% Limited access to security resources 17 9.09% Table 8: Top five developer challenges with security tools.