Sources

1) Performance Issues: npm can sometimes suffer from performance issues, especially in large-scale projects with many dependencies. Some developers find Yarn and pnpm faster. Slow installation times and high resource consumption may impact developer productivity and build times. 2) Versioning Complexity: Managing package versions and dependency conflicts can be very challenging with npm, particularly in projects with complex dependency trees. 3) Security Concerns: npm packages are not immune to security vulnerabilities, and relying on third-party code introduces potential risks to projects. 4) Dependency Bloat: npm's default behavior of installing packages locally can lead to dependency bloat, where projects accumulate unnecessary dependencies over time. Please dont take as I am defaming the NPM these are the problem I found with NPM while I was working on monorepos

**TL;DR:** The npm ecosystem is dangerously fragile. The September 2025 attack exposed deep, systemic flaws in how we manage and secure open source packages. Fixing this requires more than patching vulnerabilities—we need structural reforms, from governance to cryptographic safeguards. The npm package registry is the beating heart of modern software development. But in September 2025, that heart skipped a beat. A coordinated attack compromised several high-traffic npm packages, affecting projects downloaded over 2 billion times. While the breach was detected quickly, the implications run far deeper than a single incident. ... When attackers breached multiple npm packages—some with billions of downloads—they didn’t just exploit individual weaknesses. They exposed systemic issues in how the ecosystem operates. According to OX Security’s analysis, attackers used social engineering and credential theft to gain access to maintainer accounts. ... It was a failure of the system that puts critical infrastructure in the hands of unpaid volunteers with few safeguards. ### Why the Current npm Model Is Broken The npm ecosystem relies on a few core assumptions that no longer hold up under scrutiny: #### 1. **Single Maintainer Control Is a Risk** Many popular packages are maintained by one or two individuals. If their credentials are compromised—or if they burn out—the entire chain of dependent software is at risk. We need **multi-party authorization** for publishing updates to high-impact packages. #### 2. **Lack of Cryptographic Verification** Right now, anyone with access to a maintainer account can publish a new version of a package. Without **cryptographic package signing using hardware security keys**, there’s no end-to-end trust in what developers are installing. #### 3. **Weak Authentication Practices** The attack succeeded in part due to phishing and weak authentication. For critical packages, we need **phishing-resistant authentication**, such as mandatory hardware tokens or biometric verification. #### 4. **No Economic Support for Maintainers** Expecting unpaid individuals to secure core infrastructure is unrealistic. We need **economic models** that provide sustainable funding for security audits, maintenance, and incident response. #### 5. **Orphaned Packages Create Risk** When maintainers step away, critical packages can become orphaned. Without a **governance structure** to take over responsibility, these packages become soft targets for attackers. #### 6. **Manual Security Reviews Don’t Scale** Given the volume of updates, **automated security review processes** are essential. These can flag anomalies, detect malicious patterns, and reduce the burden on human reviewers. #### 7. **No Community-Led Oversight** We need **community-driven security committees** for widely used packages like `chalk`, `debug`, and `lodash`. These groups can provide oversight, coordinate responses, and enforce best practices. ### Key Takeaways **Centralized control is a vulnerability**: Critical packages should require multi-party approval for updates. **Trust must be verifiable**: Implement cryptographic signing and hardware-based authentication. **Security requires resources**: Fund and support maintainers of essential packages. **Governance matters**: Create fallback structures for maintaining orphaned or high-risk dependencies. **Scale with automation**: Use automated tools to review and flag suspicious updates. … • Continuous Integration and Continuous Deployment (CI/CD): Building a Better Future One Commit at a Time – CI/CD practices are closely tied to npm workflows; this article explores how better tooling and automation can solve ecosystem pain points such as dependency issues and deployment reliability. • Why “Move Fast and Break Things” Might Break Your Business – This piece critiques the rapid iteration culture that often leads to fragile package ecosystems, offering a philosophical counterpoint relevant to npm’s current challenges and the need for more responsible development practices.

`package.json` which will satisfy a dependency), it is all but impossible to say exactly *what* you’ll get *a priori*, as large parts of the dependency graph may change substantially between package versions. Really, all of this simply compounds the root problem: well meaning development principles have been pushed to their logical extreme. This ultimately makes simply understanding what you’ll get with a given install an almost impossibly hard problem. This is doubly true if you want to develop anything more than a cursory understanding of the stuff that sits upstream from your development efforts – not mentioning the authors and maintainers *behind* those packages. … ### It Only Gets Worse While all of this seems bad enough, what about updates to those 7,000 existing packages? Even if we have undeniable proof that all of the authors sitting upstream are honest and well intentioned, what happens if they suffer a credential breach, like the relatively-recent one suffered by Docker Hub? Additionally, what if their account credentials are compromised in some other way? … *thousands* of third party dependencies for a single library is astronomical – especially when you consider that many of those packages (especially in the NPM ecosystem) are less than 5 (not 500, or 5k, but 5) Source Lines Of Code (SLOC) in length. While that is generally not a great measure of effectiveness, the risk/reward and maintenance trade-offs of incorporating libraries which have many times more text in licenses and packaging files (such as build files, manifests, etc) than what resides within the body of the package itself is absolutely terrible.

We examined developers’ understanding of security risks, the practices and tools they use, the barriers to stronger security measures, and their suggestions for improving the npm ecosystem’s security. Method: We conducted an online survey with 75 npm package developers and undertook a mixed-methods approach to analyzing their responses. Results: While developers prioritize security, they perceive their packages as only moderately secure, with concerns about supply chain attacks, dependency vulnerabilities, and malicious code. Only 40% are satisfied with the current npm security tools due to issues such as alert fatigue. Automated methods such as two-factor authentication and npm audit are favored over code reviews. Many drop dependencies due to abandonment or vulnerabilities, and typically respond to vulnerabilities in their packages by quickly releasing patches. Key barriers include time constraints and high false-positive rates. … The findings revealed that supply chain attacks ranked as the main concern, followed closely by dependency vulnerabilities and malicious code injection, which are ranked second and third, respectively. In addition, the two top-ranked threats received very similar scores, indicating a high level of concern among developers. Next, respondents were presented with an optional free-text response question (#12) to specify other areas they perceive as significant security threats to npm packages. ... The themes identified are: … - • Security Tool Issues. The primary concern is alert fatigue caused by “too much noise” in security notifications, where the volume of alerts can make it difficult to identify and prioritize genuine security threats. - • Ecosystem Fragmentation. Ensuring support for multiple package managers (e.g., npm, pnpm, yarn) and JavaScript runtimes (e.g., Node, Deno, Bun) can make package maintenance challenging, which can distract developers from security concerns. … - • Tool Noise and Alert Fatigue. Respondents complained that security scanners generate too many false positives or contextually irrelevant warnings, as one respondent noted, “The security scanning system in npm is a complete joke and more of a nuisance than anything. 99% of the “vulnerabilities” are idiotic and not worthy of a real CVE.” These excessive or low-value alerts may be counterproductive, as they divert developers from conducting meaningful work. As another remarked, “way to noising and causing lots of work for maintainers.” … Summary for RQ1. Developers viewed security as important and essential, yet most rate their own packages only “Somewhat Secure.” The primary security concerns include supply chain attacks, dependency vulnerabilities, and malicious code injection. Only 40% of developers are satisfied with the current security tools for npm packages. Common issues include alert fatigue, feature gaps, and a lack of awareness about available tools. … As shown in Table 7, respondents most frequently cited time constraints as a key barrier (49 responses; 26.2%). Other notable challenges included difficulty keeping up with security updates and emerging threats (33; 17.6%) and the complexity of managing dependencies (23; 12.3%). Insufficient community support was the least cited issue, reported by only 11 respondents. In addition, security testing and balance of security with other quality attributes each received 14 responses. On average, respondents selected approximately three distinct challenges, underscoring that obstacles are multifaceted rather than isolated. … At the tool level (Table 8), the obstacle most frequently reported was a high false-positive rate in security scans (35 responses; 30.2%), followed by inaccurate vulnerability detection and limited automation for dependency management. The least reported issue was integration difficulties with CI/CD pipelines (7 responses). Comments in the “Other” category included licensing constraints, overreliance on dependencies, and tools limited to static analysis. … Summary for RQ3. Time constraints are the most frequently cited barrier to secure package development, with other challenges including difficulties in keeping up with security updates and managing dependencies. At the tool level, a high false-positive rate in security scans was the most frequently reported issue, while CI/CD integration issues are comparatively rare. … Supply Chain Vulnerabilities and Ecosystem Fragility. Our findings confirm that supply chain attacks and dependency vulnerabilities are developers’ primary concerns in the npm ecosystem, with free-text responses describing trust issues with maintainers, unmaintained dependencies, and risky post-install scripts. These results align with broader research showing that attackers exploit three main vectors: injecting vulnerabilities into dependencies, compromising build infrastructure, and targeting developers through social engineering (Williams et al., 2025). Addressing these issues necessitates better auditing tools, registry monitoring, and enhanced governance and community practices for secure maintenance. Dependency Problems and Discontinuation Decisions. There is notable variability in dependency update practices among developers: some adopt proactive, automated strategies, while others never update dependencies unless prompted by external events. This variability increases systemic risk, as outdated and abandoned dependencies persist in the ecosystem. When developers do discontinue dependencies, the most frequent drivers are package abandonment and unpatched vulnerabilities, further highlighting the fragility of the dependency network.

We examined developers’ understanding of security risks, the practices and tools they use, the barriers to stronger security measures, and their suggestions for improving the npm ecosystem’s security. ... Results: While developers prioritize security, they perceive their packages as only moderately secure, with concerns about supply chain attacks, dependency vulnerabilities, and malicious code. Only 40% are satisfied with the current npm security tools due to issues such as alert fatigue. Automated methods such as two-factor authentication and npm audit are favored over code reviews. Many drop dependencies due to abandonment or vulnerabilities, and typically respond to vulnerabilities in their packages by quickly releasing patches. Key barriers include time constraints and high false-positive rates. To improve npm security, developers seek better detection tools, clearer documentation, stronger account protections, and more education initiatives.

In software development, consistency and stability are critical — especially when managing dependencies. However, NPM’s default behavior when installing packages—using the caret ( `^`) in `package.json` — creates a fragile environment that often leads to frustrating issues for developers. Idempotent and reproducible dependency management should be the standard experience by default, but NPM’s use of `^` undermines this goal. Here’s why it’s time to rethink the default use of caret versioning in NPM, and how it sets developers up for future pain, particularly given the complexities of semantic versioning (semver). … This means that any future installation can upgrade the `lodash` dependency to anything below `5.0.0`. While this aims to provide developers with bug fixes and new features without manual intervention, it introduces significant risks: **unexpected changes**, **hidden regressions**, and **version incompatibilities** in complex projects. ## 1. Semver is Hard—and NPM Makes it Harder Semantic versioning (semver) is designed to make versioning predictable: major versions introduce breaking changes, minor versions add features, and patches fix bugs. However, not all packages in the JavaScript ecosystem strictly adhere to semver rules. Accidental breaking changes are common, even in minor or patch versions. By defaulting to `^`, NPM shifts the burden of semver compliance onto developers, who must constantly monitor updates to avoid potential breakages. This behavior creates unpredictable outcomes that often surface in production or CI pipelines. **NPM’s default makes the promise of semver nearly impossible to uphold**, resulting in wasted time troubleshooting issues that stem from unintended updates. … ## 3. ^ is a Time Bomb Waiting to Go Off The flexibility provided by ^ introduces risks that compound over time. Here’s why: **Invisible Updates**: Dependencies can be updated silently, resulting in unexpected issues. **Version Conflicts**: As the dependency tree grows, conflicts arise between direct and transitive dependencies. **CI Pipeline Failures**: Even if code works locally, a new patch version of a dependency may cause unexpected CI build failures. … ## Conclusion NPM’s default use of the caret ( `^`) for versioning creates more problems than it solves. In an ideal world, semantic versioning would work flawlessly, but in reality, **semver is hard** — and NPM’s current behavior makes it even harder by encouraging version drift and unpredictable builds. A reproducible, idempotent developer experience should be the default, not the exception.

RedMonk has been following package management forever, but what has only become more true in 2025 is that building modern applications requires pulling down and managing a boatload of dependencies. Running the command npm install in the CLI for a React Native project, for instance, can add close to 1,500 dependencies to the package.json file. … Meanwhile, developer forums on Reddit and Hacker News are awash with stories about malicious and spam npm packages. In addition to the lottie-player library exploit, which Jakub Pavlík, co-founder & head of engineering at Exaforce, explains: “highlighted the fragility of the NPM ecosystem’s security,” Phylum Research’s “The Great npm Garbage Patch” discusses: “the proliferation of spam packages in npm associated with the Tea protocol, a decentralized initiative that promises to compensate software developers in cryptocurrency for their open-source contributions.” … The Node community is particularly concerned about the state of npm. According to Robin Bender Ginn, Executive Director of the OpenJS Foundation: > JavaScript developer communities are telling us that they see real or perceived security and performance gaps with npm/GitHub. Consequently, the JavaScript ecosystem risks fragmentation, with new package registries emerging. This outcome is less than ideal due to the significant burden of maintaining registries, potential interoperability challenges, and evolving security compliance requirements.

In December 2025, in response to the Sha1-Hulud incident, npm completed a major authentication overhaul intended to reduce supply-chain attacks. While the overhaul is a solid step forward, the changes don’t make npm projects immune from supply-chain attacks. npm is still susceptible to malware attacks – here’s what you need to know for a safer Node community. ## Let’s start with the original problem Historically, npm relied on classic tokens: long-lived, broadly scoped credentials that could persist indefinitely. If stolen, attackers could directly publish malicious versions to the author’s packages (no publicly verifiable source code needed). This made npm a prime vector for supply-chain attacks. Over time, numerous real-world incidents demonstrated this point. Shai-Hulud, Sha1-Hulud, and chalk/debug are examples of recent, notable attacks. ## npm’s solution To address this, npm made the following changes: 1. npm revoked all classic tokens and defaulted to session-based tokens instead. The npm team also improved token management. Interactive workflows now use short-lived session tokens (typically two hours) obtained via npm login, which *defaults* to MFA for publishing. 2. The npm team also encourages OIDC Trusted Publishing, in which CI systems obtain short-lived, per-run credentials rather than storing secrets at rest. … ## Two important issues remain First, people need to remember that the original attack on tools like ChalkJS was a successful MFA phishing attempt on npm’s console. If you look at the original email attached below, you can see it was an MFA-focused phishing email (nothing like trying to do the right thing and still getting burned). The campaign tricked the maintainer into sharing both the user login and one-time password. This means in the future, similar emails could get short-lived tokens, which still give attackers enough time to upload malware (since that would only take minutes). Second, MFA on publish is optional. Developers can still create 90-day tokens with MFA bypass enabled in the console, which are extremely similar to the classic tokens from before. These tokens allow you to read and write to a token author’s maintained packages. This means that if bad actors gain access to a maintainer’s console with these token settings, they can publish new, malicious packages (and versions) on that author’s behalf. This circles us back to the original issue with npm before they adjusted their credential policies. To be clear, more developers using MFA on publish is good news, and future attacks should be fewer and smaller. However, making OIDC and MFA on-publish *optional* still leaves the core issue unresolved. In conclusion, if (1) MFA phishing attempts to npm’s console still work and (2) access to the console equals access to publish new packages/versions, then developers need to be aware of the supply-chain risks that still exist. … 3. At a minimum, it would be nice to add metadata to package releases, so developers can take precautions and avoid packages (or maintainers) who do not take supply chain security measures. In short, npm has taken an important step forward by eliminating permanent tokens and improving defaults. Until short-lived, identity-bound credentials become the norm — and MFA bypass is no longer required for automation — supply-chain risk from compromised build systems remains materially present.

Even so, without an organized approach to managing npm packages, organizations will end up facing significant risks, including security issues resulting from vulnerabilities, non-compliance with licensing, and issues with poorly maintained packages. That’s where this article comes in. ... When using npm packages across an organization, creating clear standards helps avoid issues like version conflicts and security vulnerabilities. Managing internal repositories requires a bit of a different approach to open-source community repositories. Three key practices for doing this are: **⭐ Use Scopes**: represented by prefixes like `@my-org/package-name`, these help prevent dependency confusion and ensure organizational identity. … ### npm Package Approval Flows & Connectors Using npm packages in development directly from npmjs.org is pretty common, but a *big * risk, especially at enterprise level. Quality, security, and licensing of npm packages vary widely, and could expose your projects to vulnerabilities or legal issues. The sheer number of npm packages and dependencies (potentially 1000+ in any given project) can also overwhelm your team, increasing the chance of errors and security oversights. To get around this, organizations should implement processes to make sure only approved npm packages are used in development. There are a couple of options for this: **💡 A package approval workflow** to vet and promote packages to an “approved” repository, making sure developers can only use packages assessed as safe for production **💡 Filtering npm packages** by scope to block unverified ones by default. … ## Maintaining npm Package Integrity and Safety ... Vulnerabilities in npm packages can lead to anything from data breaches or code injection attacks to unauthorized access to sensitive information. Running `npm audit` helps identify these vulnerabilities, but it can be difficult to determine which *actually * pose a risk since this only provides a severity rating, not a detailed risk assessment. Just because a package’s severity is “**high**”, doesn’t necessarily mean it’s easily exploitable. Addressing vulnerabilities shouldn’t just be a case of upgrading packages blindly, as you may just end up with new issues or broken functionality. Instead, you should be assessing each vulnerability individually, determining the actual risk it poses to your development. Package managers like ProGet can help with this process by assessing vulnerabilities based on your organization’s operational profile, and providing actionable guidance via its PVRS categorizations, avoiding the review fatigue that comes with manually assessing all of a project’s package vulnerabilities. ### npm Dependencies with Lock Files Part of managing npm dependencies is dealing with version conflicts. If one developer installs Express version `4.16.0` and another installs `4.18.0`, this can lead to compatibility issues and a broken application. Lock files (e.g., `package-lock.json`) resolve these issues by recording exact package versions, ensuring all team members work with the same environment. To make dependency management smoother, you should: ⭐ **Commit lock files regularly**: This keeps versions consistent across all environments. ⭐ **Specify precise version ranges in `package.json`**: Avoid potential conflicts and keep things predictable. ⭐ **Update dependencies regularly**: Keep your app secure and benefit from the latest features and bug fixes. ⭐ **Use a private package repository**: Using a private package repository like ProGet gives you more control over what packages get used in production. That covers the safety of packages and development, but doesn’t really make sure your npm packages meet your organization’s legal and compliance needs. ... Relying on npm tags like “`latest`” or “`next`,” when managing npm packages in development can lead to dependency conflicts and unexpected breakages. Let’s say one developer tags a pre-release version as “`alpha`” and another developer uses the same tag for a different pre-release version, the original tag can be overwritten. This is a big deal in CI/CD workflows, where unstable code can easily slip into production, causing all kinds of headaches. … ## Effective npm Management in Your Organization Managing npm packages in your organization can be tricky—security risks, legal issues, and poorly maintained packages are just the start. Throw in version conflicts and audit fatigue, and it can quickly get overwhelming. To stay ahead, it’s important to establish clear npm practices like using scoped packages, enforcing Semantic Versioning, and automating license compliance. Implementing approval workflows, running regular vulnerability assessments, and using lock files can help keep things secure. Tools like ProGet can also make the process easier and reduce risks.

## TL;DR The npm ecosystem seems unwell. If you are concerned with security, reliability, or long-term maintenance, it is almost impossible to pick a suitable package to use — both because there are 1.3 million packages available, and even if you find one that is well documented and maintained, it might depend on hundreds of other packages, with dependency trees stretching ten or more levels deep — as one developer, it’s impossible to validate them all. … ## The premise I don’t like the way I feel when I’m installing packages with npm. Selecting a package, installing it, discovering the 93 additional packages that were installed along with it, and hoping all of *them* are also suitable for my project… it feels out of control. I feel unhappy because picking dependencies is hard, so I blame npm, and that way my problems are not my fault. … So while I am less concerned with packages having large and deep `devDependency` trees (I *am* still concerned, but less so), it seems that a large proportion of packages aren’t making use of the distinctions between `dependencies` and `devDependencies` in the first place. That *is* concerning. ## Dependency tree depths I am defining the depth of a package’s dependency tree as the longest dependency-of-a-dependency-of-a-dependency chain I can find. Especially deep dependency trees are a problem because of how difficult they make it to audit all the packages that will get installed when including a single new package. The *average* dependency tree depth in npmjs.org is just under 4. Which doesn’t sound too bad! … **Imagined:** ... Remember that we were hoping for mostly 2, 3, and 4. Instead, there is still a long tail of packages with tree depths *above 20*. 20 is… much larger than I was expecting, and I was expecting to be disappointed. … ## Experiment conclusions Certainly, npm doesn’t match my hoped-for “healthy” qualities. You can take that to mean my desires are unrealistic, or that something is genuinely wrong. As homework for the reader: an easy way to disprove my analysis would be to show that other package repositories have the same issues: cycles, high depth, high indirect dependencies, a large proportion of unmaintained packages, packages from the statistical tails among the most-used, etc. … None of these things are bad! I am glad javascript is popular; I am glad npm made a thoughtful and easy way to publish packages; I am glad we fixed the impermanent-package dangers that `left-pad` so dramatically exposed. But the collection of these observations, combined with human nature, results in npmjs.org having 5 times more packages than PyPI, a huge number of which are undocumented, maintained, unused, or nonsensical. Even among the popular and frequently maintained packages, you’ll find packages with vast numbers of dependencies, including dependencies with security issues, deprecations, circular dependencies, and so on.

Many developers feel GitHub has left npm to stagnate since its 2020 acquisition, doing just enough to keep it running while neglecting innovations. Security problems and package spam have only intensified these frustrations. Yet these newcomers face the same harsh reality that pushed npm into GitHub's arms: running a package registry costs serious money -- not just for servers, but for lawyers handling trademark fights and content moderation. Many developers feel GitHub has left npm to stagnate since its 2020 acquisition, doing just enough to keep it running while neglecting innovations. Security problems and package spam have only intensified these frustrations. Yet these newcomers face the same harsh reality that pushed npm into GitHub's arms: running a package registry costs serious money -- not just for servers, but for lawyers handling trademark fights and content moderation. ## "Problem: There are now 28 competing standards." (Score:2) ## Re: (Score:3) ... You can publish any sort of tool for others to use in their projects easily, and on the other side you can find a tool for almost anything you need. But the idea of just changing the code you fetch to suit your needs has become an extremely difficult problem to solve. You can't just go edit the code to fix it for your case and push it to your team's repo, and send a patch to the owner if you think it helps. No. Now you gotta go up to th

**Bad:** When requesting an Access Token the request will fail if you include any parameters that it is not expecting. Google does not require a `state` or `type` parameter when getting the token like some other APIs do and will give you a 400 Bad Request with an `invalid_request` error if they are included. … ### 37signals **Bad:** When you create the app you select which services you want your app to have access to but during the auth flow only one of the services is displayed. **Bad:** There’s no support for limiting access to read-only via scopes. The only option is full read/write for all of the apps selected. … ### Box **Bad:** The redirect URL settings requires HTTPS which can be difficult if you’re trying to test locally (for instance my test app runs on http://localhost:5001 which is accepted every where else). Box has informed me this will be resolved soon. **Bad:** Does not use scopes for read-only or read/write access (is configured with the application). Box has also told me they will be changing this once they have more than one scope.