Culture of using Open Source dependencies

Some techniques and thoughts about Open Source in general and NPM repository especially. This note was inspired by "What's Really Going On Inside Your node_modules Folder?" article from Feross Aboukhadijeh.

First of all, let me clarify, using Open Source without caution is the same like living in pandemic without vaccine. Everything can be good or we can get a lot of damage, it depends only on a case.

Why is this happening? It's obvious, we are using code from the internet written by unknown persons. We do not review this code, but execute it with wide permissions on our machines.

If you do not believe me and think that Open Source is safe just read this great article, or this thread, or try to find news npm malware. Otherwise, let me share some hygiene methods of using Open Source.

Do not install what you do not need

It's simple and logical, but I saw a lot of projects where a dependency can be changed to several lines of custom code. The most common case is using lodash for sorting or taking property from null or undefined.

Run your code remotely

We should be strongly attentive by running unknown code locally. The best solution is not running in locally at all.

– MARC OHM, HENRIK PLATE, ARNOLD SYKOSCH, MICHAEL MEIER ("BACKSTABBER'S KNIFE COLLECTION: A REVIEW OF OPEN SOURCE SOFTWARE SUPPLY CHAIN ATTACKS")

By now, there are a lot of tools like Docker, we can even run IDE locally for remote code (VS Code Remote Development).

Disable autoupdates for dependencies

It's a common rule to protect from new bugs. I would like to share three simple rules for NPM here.

  1. Use npm ci instead of npm i.

  2. Save package-lock.json file to your repository.

  3. Set dependencies version for matching them exactly (package.json).

Update only if needed

This item is quite the same as installing only needed dependencies. It's wise to read change-logs and stick to your requirements. Usually, we can avoid some problems if install only updates that we understand, wait and want to use.

Another point here is time. It would be smart to wait sometime before updating after release. Do not hurry up.

– MARC OHM, HENRIK PLATE, ARNOLD SYKOSCH, MICHAEL MEIER ("BACKSTABBER'S KNIFE COLLECTION: A REVIEW OF OPEN SOURCE SOFTWARE SUPPLY CHAIN ATTACKS")

Audit dependencies

The last and the most difficult technique is reviewing Open Source code. If you really can do it for all your dependencies then you can skip other points because it will be enough. Usually, only big companies do it. But anyway we can't just ignore this work.

To find some balance in this work we can concentrate on bootstrap scripts (inside package.json for npm) and services like https://socket.dev/ can help us with this.

Open Source code can significantly increase our performance, but also can destroy our work. We should invest in it and must be careful of using it. So, Open Source is not equal cost-free code.

– FEROSS ABOUKHADIJEH ("WHAT'S REALLY GOING ON INSIDE YOUR NODE_MODULES FOLDER?")

I understand that these pieces of advice are just an overview, but they can help to start. Start to protect your code and you.