Last month, NodeSource released a new product called Certified Modules that helps secure the massive ecosystem of Node packages available now. Npm is actually the world’s largest software registry with more than 2.070.812.887 weekly package downloads and 6.5 million developers using it on a monthly basis.
The product responds to a need to secure the ever growing mass of modules that millions of developers rely on constantly. The NodeSource Certified Modules offer a way to certify modules and make sure they are safe to use. A break in a module used by thousands of developers and organization could prove disastrous. This product would ensure that users use modules that are reliable and secure. Third party modules present risks, they’re always a gamble, but with Certified Modules you have a certification process that evaluates each package and calculates a quantitative trust score.
The monitoring process will be ongoing, but paid. This way whenever you want to choose a certain Node.js module you can also take into account the safety factor.
This is the first time that something like this has been endeavored for Node.js modules and as such it represents uncharted territory. The concept and product certainly makes sense and offers a needed layer of security, but it also implies trusting one single vendor to guard the safety of hundred of thousand of modules, used by a very large and ever growing community.
NodeSource uses the following criteria for certifying modules:
-
Security: All published modules are checked for known security vulnerabilities
-
Licensing: Every module is checked to ensure it is fully licensed as open-source
-
Integrity: Quality marks like quantitative documentation, testing tooling, and install size
You can read more about the Certified Modules on their press release.
If you want to try out Node Source Certification Modules you can (for free).You get a secure registry, almost identical to the npm one, the difference being that every package and every version of every package goes through the NodeSource Certification process and is assigned a score.
What do you think of this NodeSource product? Will you try it out?
Tweet