The Blog

 

By now you’ve probably heard that a hacker injected malicious code into Event-Stream. Event-stream is a popular JavaScript npm package that is downloaded nearly 2 million times per week from the npm.org repository. The hacker obtained the package from the original author who no longer had time to maintain it and then later released an update to the package which contained malicious code. The code was activated when used inside the source code of Copay, a payment app used with Bitcoin.

While the malicious package has been pulled and fixes are in place, this security breach brings attention to a problem that the Node community has grappled with for a while: How do we properly maintain the key Node.js packages that are heavily depended on by users, along with all their various dependencies?

In many cases, these modules are created, released and become a key part of the toolkit used by Node.js developers. Later on, as circumstances change for the original authors, they can no longer maintain (most often in their free time) due to lack of time, interest, or other reasons. With over 60,000 modules (and growing!), it’s time to address the problem.

Addressing package maintenance

Michael Dawson, the IBM community lead for Node.js and chair of the Node.js Technical Steering Committee, recently kicked off a Working Group in the Node.js project to work on this issue. You can read his blog post about the new team, including some history around the topic and initial plans going forward here: Call to Action: Accelerating Node.js Growth.

Among other things, some initial goals of the group include:

  • Defining and documenting the key packages in the Node.js ecosystem and the level of support they need.
  • Creating guidance, tools, and processes in order to help businesses identify the packages they depend on and provide resources to maintain those packages.
  • Giving businesses tools and insights into how their developers can help with the backlog.
  • Offering documentation and guidance to make it easier for maintainers to manage multiple streams and accept help from people who depend on their module.
  • Defining best practices that package maintainers can use (if they want to) instead of having to figure out how to best handle tasks on their own. As an example, one of the initial issues in the package-maintenance repository suggests that the team develop guidance on how to find new maintainers and to complete the handoff to those maintainers.

Get involved

Join the new package maintenance team and help us secure and accelerate the use of Node.js.