Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
JavaScript
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
=== Misplaced trust in developers === Package management systems such as [[npm (software)|npm]] and Bower are popular with JavaScript developers. Such systems allow a developer to easily manage their program's dependencies upon other developers' program libraries. Developers trust that the maintainers of the libraries will keep them secure and up to date, but that is not always the case. A vulnerability has emerged because of this blind trust. Relied-upon libraries can have new releases that cause bugs or vulnerabilities to appear in all programs that rely upon the libraries. Inversely, a library can go unpatched with known vulnerabilities out in the wild. In a study done looking over a sample of 133,000 websites, researchers found 37% of the websites included a library with at least one known vulnerability.<ref name="jslibs">{{citation |last1=Lauinger |first1=Tobias |last2=Chaabane |first2=Abdelberi |last3=Arshad |first3=Sajjad |last4=Robertson |first4=William |last5=Wilson |first5=Christo |last6=Kirda |first6=Engin |title=Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web |url=https://www.ccs.neu.edu/home/arshad/publications/ndss2017jslibs.pdf |website=Northeastern University |access-date=28 July 2022 |archive-url=https://web.archive.org/web/20170329045344/https://www.ccs.neu.edu/home/arshad/publications/ndss2017jslibs.pdf |archive-date=29 March 2017 |doi = 10.14722/ndss.2017.23414 |date = December 21, 2016|arxiv=1811.00918 |isbn=978-1-891562-46-4 |s2cid=17885720 |url-status=dead}}</ref> "The median lag between the oldest library version used on each website and the newest available version of that library is 1,177 days in ALEXA, and development of some libraries still in active use ceased years ago."<ref name="jslibs" /> Another possibility is that the maintainer of a library may remove the library entirely. This occurred in March 2016 when Azer Koçulu removed his repository from npm. This caused tens of thousands of programs and websites depending upon his libraries to break.<ref>{{cite news |work=Quartz |url=https://qz.com/646467/how-one-programmer-broke-the-internet-by-deleting-a-tiny-piece-of-code/ |title=How one programmer broke the internet by deleting a tiny piece of code |first=Keith |last=Collins |date=March 27, 2016 |access-date=February 22, 2017 |archive-date=February 22, 2017 |archive-url=https://web.archive.org/web/20170222200836/https://qz.com/646467/how-one-programmer-broke-the-internet-by-deleting-a-tiny-piece-of-code/ |url-status=live }}</ref><ref>SC Magazine UK, [https://www.scmagazineuk.com/developers-11-lines-of-deleted-code-breaks-the-internet/article/532050/ Developer's 11 lines of deleted code 'breaks the internet'] {{Webarchive|url=https://web.archive.org/web/20170223041434/https://www.scmagazineuk.com/developers-11-lines-of-deleted-code-breaks-the-internet/article/532050/ |date=February 23, 2017 }}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)