NPM registry users download deprecated packages an estimated 2.1 billion times weekly, according to a statistical analysis of the top 50,000 most-downloaded packages in the registry.
Deprecated, archived and “orphaned” NPM packages can contain unpatched and/or unreported vulnerabilities that pose a risk to the projects that depend on them, warned the researchers from Aqua Security’s Team Nautilus, who published their findings in a blog post on Sunday.
In conjunction with their research, Aqua Nautilus has released an open-source tool that can help developers identify deprecated dependencies in their projects.
NPM publishers may archive packages rather than address security flaws
Open-source software may stop receiving updates for a variety of reasons, and it is up to developers/maintainers to communicate this maintenance status to users. As the researchers pointed out, not all developers are transparent about potential risks to users who download or depend on their outdated NPM packages.
Aqua Nautilus researchers kicked off their analysis after finding that one open-source software maintainer responded to a report about a vulnerability Nautilus discovered by archiving the vulnerable repository the same day.
By archiving the repository without fixing the security flaw or assigning it a CVE, the owner leaves developers of dependent projects in the dark about the risks, the researchers said.
Aqua Security researcher Ilay Goldman, a member of Team Nautilus, highlighted how vulnerabilities in the open-source supply chain can open the door for major cyberattacks.
“A prime example of this can be the Log4Shell vulnerability, which is not in npm but underscores the problem of using a package that has a vulnerability and should be treated as deprecated,” Goldman said in an email to SC Media.
With these potential consequences in mind, the Aqua Nautilus team sought to better estimate the reach of unmaintained NPM packages in the registry.
More than 20% of top 50K NPM packages may have maintenance gaps
The statistical analysis of NPM package deprecation encompasses both “officially deprecated” packages and other packages with an uncertain maintenance status due to having an archived or unavailable repository linked as a source commit.
Taking into consideration both deprecated packages and active packages that have a direct dependency on deprecated projects, the researchers found about 4,100 (8.2%) of the top 50,000 most-downloaded NPM packages fell under the category of “official” deprecation.
However, adding archived repositories to the definition of “deprecated” increased the number of packages affected by deprecation and deprecated dependencies to 6,400 (12.8%).
“Orphaned” packages with unavailable or non-existent repository source commits can also be considered deprecated due to decreased ability to track maintenance status, view commit history and report issues, the researchers said.
Including packages with linked repositories that are shown as unavailable (404 error) on GitHub increases the deprecation rate to 15% (7,500 packages), according to the Nautilus analysis. Encompassing packages without any linked repository brings the final number of deprecated packages to 10,600, or 21.2% of the top 50,000.
Team Nautilus estimated that under this broader understanding of package deprecation, about 2.1 billion downloads of deprecated packages are made on the NPM registry weekly.
The problem stretches even farther when considering the wide web of dependencies some of these packages create, such as the officially deprecated “request” package, which has more than 55,000 direct dependencies.
Is my project affected by NPM package deprecation?
Developers can use the free Dependency Deprecation Checker published by Aqua Security to begin identifying deprecated packages among their dependencies. The tool allows users to set the criteria for deprecation according to their preferences, such as by excluding packages with archived repositories from the search.
The researchers note that the tool is a proof-of-concept and thus not entirely comprehensive, but can give developers an idea of their deprecation status.
Aqua Security recommended that organizations establish deprecation protocols that outline their criteria for considering a package to be deprecated. The team also urges organizations to always update or replace deprecated dependencies whenever possible.
“It is critical to acknowledge that a deprecated dependency may serve as an entry vector for attack. In this context, GitHub could enhance its user notification mechanisms,” Goldman suggested. “Although npm displays deprecation messages, these could be expanded to include warnings when a package relies on a deprecated dependency.”
“Further integration with GitHub to ascertain whether a repository has been archived — and subsequently alerting the user — could significantly bolster developers’ awareness regarding the use of unmaintained packages,” Goldman concluded.
The complicated situation created by NPM dependencies was also highlighted earlier this month, when a package called “everything” that created dependencies with all other public packages left developers registry-wide unable to unpublish their deprecated projects.