New author
Severity
Low
Short Description
A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Packages
View packages with this alert.Suggestion
Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.
Information
Adding new collaborators to an npm package increases the number of individuals with publishing rights, which may elevate the risk of:
- Accidental Publishing Errors: Mistakes made by a less experienced or new collaborator.
- Supply Chain Attacks: Malicious code could be intentionally or unintentionally introduced by a compromised or unvetted collaborator.
- Loss of Trust: Frequent changes to publishing rights might signal instability or lack of proper governance over the package.
New collaborators should be carefully vetted because they can now publish code that propagates through your dependency tree, potentially impacting all projects depending on this package.
Recommended actions
Verify New Collaborator:
- Confirm the identity and legitimacy of the new collaborator.
- Ensure they are associated with the project and authorized to make changes.
Review Published Changes:
- Audit the version of the package published by the new author to ensure no malicious or suspicious code has been introduced.
Limit Publishing Permissions:
- If you are the package publisher, minimize the number of people with publishing rights to reduce the attack surface.
- Use npm’s organization teams and role-based access control to better manage permissions.
Communicate Changes:
- For package publishers, make sure to notify your user base or contributors when significant governance changes occur.
- Clarify why new collaborators have been added and their role in the project.
Establish Governance Policies:
- Define clear guidelines for adding new collaborators to the project.
- Require periodic reviews of who has access to publish and revoke access for inactive contributors.
Examples
Here's an example where an npm package changed authors from one version to the next. The new author and previous author are noted in the alert:
Detection Method
This alert only applies to the npm ecosystem at this time. It detects when a new version of the package is published by a new npm collaborator for the first time.
Additional resources
- npm-access documentation: Set access level on published packages
- Two-Factor Authentication: npm docs on the importance of enabling 2FA on your account