conf.researchr.org
Understanding npm Developers' Practices, Challenges, and ...
We examined developers’ understanding of security risks, the practices and tools they use, the barriers to stronger security measures, and their suggestions for improving the npm ecosystem’s security. ... Results: While developers prioritize security, they perceive their packages as only moderately secure, with concerns about supply chain attacks, dependency vulnerabilities, and malicious code. Only 40% are satisfied with the current npm security tools due to issues such as alert fatigue. Automated methods such as two-factor authentication and npm audit are favored over code reviews. Many drop dependencies due to abandonment or vulnerabilities, and typically respond to vulnerabilities in their packages by quickly releasing patches. Key barriers include time constraints and high false-positive rates. To improve npm security, developers seek better detection tools, clearer documentation, stronger account protections, and more education initiatives.
Related Pain Points2件
Alert fatigue from security scanner false positives
7Security scanning tools generate excessive false positives and low-value warnings that make it difficult for developers to identify genuine security threats. Developers report that 99% of reported "vulnerabilities" are irrelevant, causing alert fatigue and diverting attention from meaningful security work.
Time Constraints and Complexity Managing Dependency Security Updates
6Developers struggle with time constraints (cited by 26.2%) and difficulty keeping up with security updates and emerging threats (17.6%), while managing complex dependency trees. The complexity of dependency management itself poses a significant barrier.