I am developing an app that needs to use Binance API. I found an NPM package https://www.npmjs.com/package/#binance/connector
But I am not sure if it is an official one or created by someone else. What are the criteria to identify a good npm package by good I mean not containing any malicious code.
The NPM package links to a GitHub repo. The GitHub repo readme links back to the NPM package. So far so good.
The GitHub repo is published under the binance organization, which has the verified tag with comment:
We've verified that the organization binance controls the domain: www.binance.com
So assuming that we can trust the GitHub verification process, this particular NPM package is legit and really comes from Binance.
General rules of thumb to roughly identify a level of trustworthiness of an NPM package:
Published by a verified organization.
Downloads amount. A package with 1k weekly downloads is more likely to be legit, compared to a package with 1-2 downloads a week.
Size of a community around this package. Look for the number of contributors and, official website, support forum with active users. These are the signs that the package is probably all right.
If the package is business critical for your case, always do your own due diligence and look through the code.
Related
I lately helped out on a project, where I added a really small dependency - in fact, it only contained a regular expression (https://www.npmjs.com/package/is-unc-path).
The feedback I got from the developer of the project was that he tries to minimize third-party dependencies if they can be implemented easily - whereby he - if I understand it correctly - asks me to just copy the code instead of adding another dependency.
To me, adding a new dependency looks just like putting some lines of code into an extra file in the repo. In addition, the developers will get informed by an update if the code needs a change.
Is it just a religious thought that drives a developer to do this? Are there maybe any costs (performance- or space-wise, etc) when adding a dependency?
I also had some disputes with my managers once concerning the third party libraries, the problem was even greater he got into believing that you should version the node_modules folder.
The source of any conflict usually is the ignorance.
His arguments were:
you should deliver to the client a working product not needing for him to do any other jobs like npm install
if github, npm is down in the moment when you run npm install on the server what you will do ?
if the library that you install has a bug who will be responsible
My arguments were:
versioning node_modules is not going to work due to how package dependencies work, each library will download his own node_modules dependencies and then your git repository will grow rapidly to hundreds of mb. Deploy will become more and more slow, downloading each time half a gb of code take time. NPM does use a module caching mechanism if there are no changes it will not download code uselessly.
the problem with left-pad was painfull but after that npm implemented a locking system and now for each package you just lock to a specific commit hash.
And Github, and npm does not have just a single instance service, they run in cloud.
When installing a dependency you always have some ideas behind and there are community best practices, usually they resume to: 1. Does the repo has unit tests. 2. The download number 3. When was the latest update.
Node.js ecosystem is built on modularity, it is not that node is so popular cause of some luck, but cause of how it was designed to create modules and reuse them. Sometimes working in node.js environment feels like putting lego pieces together and building your toy. This is the main cause of super fast development in node.js. People just reuse stuff.
Finally he stayed on his own ideas, and I left the project :D.
Okay, so I get it that I might be looking for a totally unexpected behavior.
My current company has nothing for me to do for a few weeks, so I would like to start a side project. The problem is, the firewall is really strong here, so I cannot download anything with Git or Npm. I also am not allowed to do any request to the IT support, since I am not in my company's office but some offices owned by a client (that applies said strict policy). In short, I am stuck with firewall and proxy policies that I cannot modify.
I may download a module's zipped archive through the browser, and install it from there. However, it has multiple dependencies, that themselves have dependencies, and so forth. And since I cannot run npm install to retrieve the dependencies, I'm stuck.
I saw multiple possible solutions in order to solve those dependencies issues:
make NPM run all requests and downloads through the browser, since browsers are allowed to access to the network. I don't see any options for that so far.
Download all required dependencies as tarball and step-by-step install each of them. Because of the potential number of dependencies being huge, I am looking for a huge bulk of modules commonly used to download once.
Most solutions I find make the assumption that I may use npm install properly, while my proxy doesn't allow it.
I wouldn't like to spend days on Chrome's built in game. Any idea?
maybe you can create the project somewhere else, and then "import" it on your office local machine:
npm init
edit package.json with your dependecies
npm install
put everything on usb stick and put it on your local computer at work.
or
send an archive of the code via email and download the tarball from email at office.
Anyone can publish their Node.js package to open Node Package Manager (npm) pool.
Is there any security checks for published packages so that I can be sure that a new package won't contain any harmful code?
Also it's interesting to know if there is any voting system for node packages so that I can pick out the most voted package from a bunch of similar node packages?
The Node Security Platform is a tool designed to help developers do just that! You can test your project dependencies for known vulnerabilities in a variety of ways - from the command line, integrated with your CI system, or integrated with github.
The vulnerabilities are discovered via two sources:
A team of seasoned node.js security professionals actively auditing modules on npm.
Submissions from community members, which are verified by the aforementioned team.
It's also free to use the command line tool, as well as integration with open source github repositories.
If you are using npm enterprise, nsp is also partnered with npm to provide sidebar integration. This allows you to see vulnerability information right from the npme web ui, which sounds like what you are looking for.
As far as module popularity goes, there is a website that does this to some degree at nodejsmodules.org. I use it from time to time, but beware - they've got a very expired HTTPS cert.
Disclosure: I am an employee of ^Lift Security, the company behind the Node Security Platform.
You can also use https://nodesecurity.io/ to add security checks into your GitHub pull request flow.
If you perform a search on npmjs.com before pulling a module into your system the index of all packages on npmjs.com takes into account maintenance, quality, etc."
npm search is also a good option for npm package voting.
The npms analyzer continuously analyzes the npm ecosystem, gathering as much information as possible from a variety of sources, including GitHub, David and nsp. Using the collected information, a final score for each package is calculated based on four different aspects: Quality, Maintenance, Popularity, and Personalities
I found only this thread when an user ask similar question but without answer. ( https://github.com/npm/npm-registry-couchapp/issues/17 )
I know two sites that are repositories of NPM packages:
https://www.npmjs.com
http://libraries.io
And I can't find a way to obtain an rss for single package in a way like it is done for github or sourceforge:
https://github.com/<author_name>/<package_name>/releases.atom
http://sourceforge.net/projects/<project_name>/rss?limit=20
And yes, i know that I might check what is the github repository for given NPM and do it that way, but I specifically ask for a way to reach this info from some kind of NMP repository that tracks if a given package changed its git address (not necessarily these two I added here as example.)
It is hard to find these tricks by google because it thinks I'm searching for some kind of NPM package that deals with RSS/ATOM.
I've recently added a release atom feed to all packages on libraries.io, simply add /versions.atom to the end of any project page url, for example:
https://libraries.io/npm/node-sass/versions.atom
With npm modules it should never be more than 10 minutes delayed in showing the newest version.
You need to hit your requests against an NPM registry, i.e. https://registry.npmjs.org/-/rss.
For single packages, the URL should be https://registry.npmjs.org/-/rss/browserfiy, but the responses aren't being constructed correctly at the time of writing.
Alternatively, you could go for a JSON response, i.e. https://registry.npmjs.org/browserify. For a more programmatic way of accessing package details, you can use npm-registry-client.
I'm browsing Nuget libraries from an author and see questionable content.. something that doesn't have the same quality as some of the prior work I've seen.
How do I know that the author of a Nuget package is really that person?
Can I extend that trust into the built-in update process of Nuget?
The "author" is simply metadata that is included in the .nuspec file. See (http://docs.nuget.org/docs/reference/nuspec-reference). This can be different than the package owner/creator.
In the beginning when NuGet was starting out, there were a few people that were creating packages for projects that they didn't author mainly to get the package in the repository.
Now that NuGet is more established, it is recommended that people contact the project owner and have them create their own NuGet package.
For packages that have already been uploaded to the repository by someone other than the author, the author can request to have the ownership transferred to them.
Since there's no guarantee that the package creator is the original author, I'm not sure how that affects trust. However, if you install a package, it is pretty safe to say that updates will either be from the same person that created the initial package, or potentially it will have transferred to the actual author of the project.
In other words, trust will likely be the same or perhaps better (if actual author), but seldom worse than the original package you installed.
Hope that helps.
I know this is a fairly old question, but this is the best answer I've found. I'd like to add my $.02 to the till. I've got a couple of packages on nuget.org that are based on another package. Unity.Mvc3.VB, Unity.Mvc3.DLL, and I'm working on a Unity.Mvc4.VB package. They're all based on Unity.Mvc3 from devtrends. The DLL project basically just installs the assembly reference for Unity.Mvc3 without the c# source code files so that it's a little easier to use in projects of other languages. The VB package(s) include VB.Net versions of the C# source files. Since I didn't write anything other than the nuspec file in the DLL package, I just listed Paul Hiles as the author and myself as the package owner.
For the VB package(s), again I'm listed as the owner, but for the author I list Paul and myself with each of our contributions in parenthesis like so:
The idea is that I'm giving credit to the original author of my derivative work.
Kiliman's answer is correct and comprehensive. I would like to add that it is up to the community to start writing reviews of nuget packages in the NuGet Gallery. Reviews are very few and far between and they have a star-rating system, so if you don't think a package is useful, or if you have concerns about a particular package, write them there and help your fellow programmers.