You're Invited:Meet the Socket Team at BlackHat and DEF CON in Las Vegas, Aug 7-8.RSVP
Socket
Socket
Sign inDemoInstall

Non-existent author

Severity

High

Short Description

The package was published by an npm account that no longer exists.

Packages

View packages with this alert.

Suggestion

Packages should have active and identified authors.

Information

npm is full of abandoned packages and it's not always easy to know if they are abandoned without a little digging. Packages where the author no longer exists on npm are risky dependencies. This alert offers one of the fastest ways to determine with high confidence if a package may be abandoned.

When a maintainer's account is deleted, there is no longer an accountable party addressing security issues or shipping bug fixes, which leaves these packages open to exploitation.

There are two npm policies related to this that are factors in why abandoned packages are allowed to remain in the registry:

npm retains abandoned packages for their historical value, even when the author's account no longer exists: This policy, clarified in 2022, means that such packages are not removed from the registry to preserve their historical context.

npm prohibits the adoption of abandoned packages: npm's stance is that unmaintained packages will remain as they are, and they do not intervene in maintaining or reassigning these packages, except through their naming and trademark dispute policies. This is due to the fact that allowing adoption of abandoned packages could be an attack vector that new ill-intentioned maintainers could use for a supply chain attack.

Recommended actions

  • Evaluate Package Usage: Assess whether the package is critical to your project. If it is not essential, consider finding an alternative with an active maintainer.
  • Check for Recent Activity: Look at the package’s repository to see if there has been any recent activity or community involvement that suggests ongoing maintenance by others.
  • Contact the Community: Engage with the community to see if there are plans to adopt or maintain the package.
  • Fork the Package: If the package is essential, consider forking it and maintaining your own version, ensuring that any security updates and necessary changes are applied promptly.
  • Version Pinning: Consider pinning the version of the package you are currently using to ensure that your project continues to use a known good version. This should be a temporary measure while you are actively seeking out a replacement in instances where replacing the library isn’t trivial, since version pinning can make package management and maintenance more cumbersome. It can also keep you from receiving necessary security updates.

Examples

Here's an example of an npm package that is 12 years old, where the author no longer exists. The Non-Existent Author alert is also frequently accompanied by high severity CVEs and other supply chain risk alerts.

Detection Method

Socket displays this alert on npm packages where the author's account no longer exists. More specifically, it displays when the actual account that published the package version no longer exists.

Additional resources

The “Non-Existent Author” Alert: How to Safeguard Against the Dangers of Abandoned npm Packages

npm Feedback Discussions on GitHub Community

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc