Understanding npm Developers' Practices, Challenges, ...

a mixed-methods approach to analyzing their responses. Results: While developers prioritize security, they perceive their packages as only moderately secure, with concerns about supply chain attacks, dependency vulnerabilities, and malicious code. Only 40% are satis- fied with the current npm security tools due to issues such as alert fatigue. Automated methods such as two-factor authentication and npm audit are favored over code reviews. Many drop dependen- cies due to abandonment or vulnerabilities, and typically respond to vulnerabilities in their packages by quickly releasing patches. Key barriers include time constraints and high false-positive rates. To improve npm security, developers seek better detection tools, clearer documentation, stronger account protections, and more … bilities [29]. This RQ identifies technical, organizational, and human ... RQ4: What improvements should be prioritized to strengthen security for npm packages? - Software security interventions often fail without practitioner input [28]. In this RQ, we gather … main concern, followed closely by dependency vulnerabilities and malicious code injection, which are ranked second and third, re- spectively. In addition, the two top-ranked threats received very similar scores, indicating a high level of concern among developers. Next, respondents were presented with an optional free-text response question (#12) to specify other areas they perceive as sig- … caused by “too much noise” in security notifications, where the volume of alerts can make it difficult to identify and prioritize genuine security threats. • Ecosystem Fragmentation. Ensuring support for multiple pack- age managers (e.g., npm, pnpm, yarn) and JavaScript runtimes (e.g., Node, Deno, Bun) can make package maintenance challeng- ing, which can distract developers from security concerns. • Malicious Code Execution. One primary concern raised by respondents is the automatic execution of post-install scripts by … being unclear. Some of the key reasons for dissatisfaction include: • Tool Noise and Alert Fatigue. Respondents complained that security scanners generate too many false positives or contextu- ally irrelevant warnings, as one respondent noted, “The security scanning system in npm is a complete joke and more of a nuisance than anything. 99% of the “vulnerabilities” are idiotic and not wor- … mon coding mistakes or patterns that lead to vulnerabilities. For instance, one participant highlighted the absence of “common mistake scanning (pattern matching, etc.),” while another criticized that “tooling feels primitive and buggy.” • Limited Tool Awareness. Some respondents admitted that they lacked knowledge about available tools, with responses like “Do … dependency vulnerabilities, and malicious code injection. Only 40% of developers are satisfied with the current security tools for npm packages. Common issues include alert fatigue, feature gaps, and a lack of awareness about available tools. 4.2 RQ2: What security practices and tools do npm developers leverage in building and … As shown in Table 7, respondents most frequently cited time constraints as a key barrier (49 responses; 26.2%). Other notable challenges included difficulty keeping up with security updates and emerging threats (33; 17.6%) and the complexity of managing dependencies (23; 12.3%). Insufficient community support was the … Difficulty keeping up with security updates and threats 33 17.65% Complexity of managing dependencies 23 12.30% Lack of awareness or understanding of se- curity best practices 19 10.16% Limited access to security resources 17 9.09% Table 8: Top five developer challenges with security tools. … 16.38% Other 10 8.62% At the tool level (Table 8), the obstacle most frequently reported was a high false-positive rate in security scans (35 responses; 30.2%), followed by inaccurate vulnerability detection and limited automa- tion for dependency management. The least reported issue was in- tegration difficulties with CI/CD pipelines (7 responses). Comments in the “Other” category included licensing constraints, overreliance on dependencies, and tools limited to static analysis. Summary for RQ3. Time constraints are the most frequently cited barrier to secure package development, with other challenges in- cluding difficulties in keeping up with security updates and man- aging dependencies. At the tool level, a high false-positive rate in security scans was the most frequently reported issue, while CI/CD integration issues are comparatively rare. 4.4 RQ4: What improvements should be prioritized to strengthen security for npm packages? While the prior RQs focused on current perceptions, practices, and