How can we trust npm modules?

There are a few programs, available from npm, that can run against your package.json and check for known vulnerabilities. Not perfect, but a great start. The one I have used is called nsp but there are others.


Update - June 2019

In npm@6 security check is included. You could run npm audit to recursively analyze your dependency trees to identify specifically what’s insecure

2016 version

You could use the nsp tool provided by Node Security Platform, which helps to audit all the modules from your package.json

npm install nsp --global
nsp check

NPM is not doing any checks whatsoever. They are just a registry. The whole thing is built on the trust in the dev community and sharing.

Most node modules are open source and you can review their code in their repository (usually Github). So that's the best way to 'trust' them. Some node modules give you prebuilt native binaries, so that might be riskier in a way, but if it is popular (like ws for example) then I see no issue. You can also check the NPM publisher user, which sometimes is a known company like Oracle.


The idea is to find the most popular npm modules. You can do this by checking the stars on each project.

Some tips:

Use npm to manage dependencies in your dev environment, but not in your deployment scripts.

Tools like npm are development tools. They’re a convenient way to download and update modules. They’re not deployment tools, have never been deployment tools, and should not be used for deployment!

Use npm shrinkwrap in the development repository and check in the result. This will lock your module versions in place, including sub-dependencies

More details here