Risk
The Risk group is for criteria which are intended to indicate whether a package's usage or installation may be abnormally risky, outside of purely security.
Some examples of things considered risky:
- Packages which include code which could have severe implications if misused.
- Packages which are likely to cease functioning in a future Node.js major upgrade.
- Packages which have poor error handling.
Risk Severity
The risk group has a more fine grained severity ranking, although severity will still vary somewhat by score.
- CRITICAL: Avoid install without manually inspecting this package's code & scripts.
- HIGH: Manually inspecting this package's code & scripts before install is recommended.
- MEDIUM: Inspecting this package's code before use is recommended.
- LOW: This package does something less-than-ideal that could manifest risk in some circumstances.
- NONE: Nothing of note.
Risk Score Overview:
NCM 2 captures the following set of Risk Scores. This set continues to expand. Each property is outlined in more detail below:
- has-install-scripts
- has-gyp-file
- uses-eval
- has-unsafe-regexps
- uses-deprecated-node-apis
- has-lost-callback-errs
- has-abandoned-promises
- missing-strict-mode
Risk Score: has-install-scripts
This score indicates whether any npm lifecycle scripts which trigger on install were detected.
Lifecycle scripts which trigger on install can be useful but are inherently risky, as they may run unwanted CLI commands before other tools or the user can inspect the package.
The list of npm lifecycle scripts which may run on install (and are as such considered risky):
preinstall install postinstall preuninstall uninstall postuninstall
Note: npm "scripts" are package-author-defined shell snippets which are defined in a package.json.
Additionally, gyp build files from native modules are also considered install scripts under this score, as they may execute arbitrary code and also run on install.
Identifying this risk attribute in a package means that its risk score will be elevated to Critical.
Risk Score: has-gyp-file
An additional score to compliment has-install-scripts which indicates specifically the presence of a gyp build file (as required by native modules).
For more about gyp files and building native addons, please see node-gyp, which is invoked by npm during the buildlifecycle step or rebuild command.
Identifying this risk attribute in a package means that its risk score will be elevated to Critical.
Risk Score: uses-eval
This score indicates whether static code analysis of the package detected any eval() or implied eval (Function(), etc) usage.
Regardless if an actual security vulnerability exists, any code that uses eval is at risk of receiving & executing unverified upstream data.
Identifying this risk attribute in a package means that its risk score will be elevated to High.
Risk Score: has-unsafe-regexps
This score indicates whether static code analysis of the package detected any exponential-time Regular Expressions, which could be a DOS attack vector ("ReDoS") for unverified upstream data.
Identifying this risk attribute in a package means that its risk score will be elevated to Medium.
Risk Score: uses-deprecated-node-apis
This score indicates whether static code analysis of the package detected any deprecated Node.js core APIs. A package which uses deprecated Node.js apis may not function in a future Node.js major version upgrade.
A list of all deprecated Node.js core APIs can be found in the official Node.js documentation.
This criteria may not detect all Node.js deprecations and also will not detect ones within some time of the deprecation being issued.
Identifying this risk attribute in a package means that its risk score will be elevated to Medium.
Risk Score: has-lost-callback-errs
This score indicates whether static code analysis of the package detected any callback error arguments which were not checked, where any potential runtime error may be "lost".
Not doing checks & proper handling for errors in callbacks that take error parameters could cause state, memory, and/or resource, leaks.
Identifying this risk attribute in a package means that its risk score will be elevated to High.
Risk Score: has-abandoned-promises
This score indicates whether static code analysis of the package detected any Promise-s which did not have some form of finalization handling. This includes .catch() or a second argument to .then(), .finally(), and most common user promise library provided handlers.
Not doing proper finalization and/or error handling Promise-s could cause state, memory, and/or resource, leaks.
Identifying this risk attribute in a package means that its risk score will be elevated to High.
Risk Score: missing-strict-mode
This score indicates whether static code analysis of the package detected the lack of strict mode ('use strict') in any of the package's code.
Not using strict mode can result in code that has silent errors or is non-optimizable by the javascript engine.
Identifying this risk attribute in a package means that its risk score will be elevated to Low.