Is NPM safe?

Have used the bootstrap theme ( GitHub - razonyang/hugo-theme-bootstrap: A fast, responsive and feature-rich Hugo theme for personal blog and documentations. )for quite a while. Since about Nov '21 I think, the theme has included NPM.

So, how secure is NPM ? I did install it and it started to pull code from many different sources. That concerned me. If a theme only uses a small number of NPM sources, why use many ? Why have them contained on a website ?

I went for Hugo because it was static, and have noticed for years the website abuse from attempts to insert SQ code into databases. So, static HTML was “safe”, right ?

Yet what if the scripts are not ?

Is Hugo setup for an NPM audit as explained at NPM Audit: How to Scan Packages for Security Vulnerabilities ? Some interesting articles about the vulnerability of scripts contained within NPM - is npm safe at DuckDuckGo

Can Hugo themes be setup so that the user can decide on whether to include the NPM code or not ? Like as a Hugo module ?

This is a good read:

1 Like

Hugo itself does not use npm. Many themes does however. How it is implemented is completely up to the theme developers.

1 Like

@bep - Thanks, yes a good read. In years well gone now, we always had a seperate testing environment, and only after a new release passed all the testing, was it implemented into the ‘production’ environment.

Personally, I don’t feel comfortable with npm simply because it pulls code/scripts from many different sources. Who do we trust ?

@frjo - Yes it is all under the control of the theme developers. If Hugo can provide the options though, like it does now with modules, will the theme developers consider making `npm’ an option ? Or is that simply not feasible ?

As a security concern at least ?

If I want to keep/use the current bootstrap theme and don’t want npm , then I will have to go back to an earlier release - Release v0.67.1: fix: social image meta tag · razonyang/hugo-theme-bootstrap · GitHub

So, npm was added to the theme at one point in time. Possibly theme developers can consider adding `npm’ in a modular sense, or use other methods to provide the end user with options ?

Any npm command that’s running outside of Hugo (e.g. Netlify runs npm ci by default) is out of control. I have thought about integrating npm more tightly into Hugo, but that has had the motivation of making it simpler, not more secure.

You could argue that the work Hugo has started with the hugo mod npm pack command is a step in the right direction, though.

My concerns about NPM is mostly:

  1. It tends to encourage importing every little tool on the planet for the smallest of tasks; I have tested sites built with some static JS generators, and the dependency tree is in the thousands, which is impossible to do any sensible security review of.
  2. It doesn’t seem to be very stable, so something that built fine two months ago, fails now for some mysterious reason that you need to do a StackOverflow search to figure out. One example: I’m not able to build the JS/CSS for the Hugo sites’ theme anymore. I have tried to figure it out, but I gave up. I could propably figure it out, but I’m instead in the process of rewriting it.

Yep, how do we ensure that tools outside of Hugo are safe/secure ? If it was an easy option to include or not npm, fine, but it doesn’t seem to be that easy. The author of this particular theme ( Can NPM be an opton ? · Discussion #515 · razonyang/hugo-theme-bootstrap · GitHub ) has stated that all versions of this theme are built on top of npm modules/packages. Yet for end users that is totally transparent.

I agree with your concerns about NPM. Using it does pull in thousands of scripts, yet how many are used in a particular theme. Also whilst it may appear that the use of Hugo theme indicates the theme is ‘secure’ and well controlled under Github management, and at least some accountability by having a number of contributors, if a theme has NPM, then it could equate to actually being contributed by thousands of ‘authors’.

That changes my perspective, hence the concerns. In an ideal world, it would be great to know if a Hugo theme uses NPM in any particular stage of development. But how can that be indicated, and I realise that is beyond the scope of Hugo, and up to each Hugo theme developer.

Some sort of theme standards that may at least protect the theme users from loading (possible) malicious code onto their websites.

I assume that most theme developers/authors consider that if a theme doesn’t crash or break anything, then it is tested ? That it is safe ?

Are there reliable NPM audit tools ? In life, we are constantly faced with situations where the risks need to be evaluated. Yet it comes down to a personal choice no doubt.

Thanks for your advice and discussion @bep

From the packages that are available for NPM - Ubuntu – Package Search Results -- npm

Package npm - package manager for Node.js
Package node-is-npm - Checks if your code is running as an npm script
Package node-npm-bundled - Parses info on bundled dependencies
Package node-npm-package-arg - Parse the things that can be arguments to npm install
Package node-npm-run-path - Get your PATH prepended with locally installed binaries
Package node-npmlog - Logger with custom levels and colored output for Node.js
Package node-npmrc - Switch between different .npmrc files
Package node-validate-npm-package-license - Tells if a string is a valid npm package license string
Package node-validate-npm-package-name - Checks if a string is a valid npm package name
Package npm2deb - tool to help debianize Node.js modules

and there will be some I missed. It seems the primary developer of NPM is Sindre Sorhus at sindresorhus (Sindre Sorhus) / Repositories · GitHub , who actively maintains over a thousand NPM packages ( see About | Sindre Sorhus ).

There is `npm audit’ , see npm audit at DuckDuckGo . If a theme has been audited, or at least the components/scripts that are used to build the theme have been audited, then can a version be flagged/marked as audited ? Safe and secure ??

This is a good measure, yet it still relies on EVERY contributor to follow the rules - View Awesome Npm (sindresorhus/awesome-npm) Readme With Stars | Track Awesome List

Since this is open source there is no way to enforce any rules on theme developers. At most the Hugo project can suggest best practices.

A npm audit “flag” is also outdated very quickly, you would need it to run daily for it to mean anything.

If you really do not want to use npm, find a theme (or build your own) that do not use it.

1 Like

Thanks. Yes, audits would need to be run very frequently. I may try out your theme at GitHub - frjo/hugo-theme-zen: A fast and clean Hugo theme with css-grid and Hugo pipes support. , as I noticed …

To make using npm optional I have added the stylesheets from the excellent sass plugin typey directly to the theme.

Remember that this is a “base theme”, you are ment to add your own CSS to it. The provided CSS gives you a functional site, but not a very existing one.

I use it myself for all Hugo sites I build, the designer(s) on the project provide the look and fell and I implement it.

The Zen theme use npm/node for linting the code, it is completely optional to use.

1 Like

Just BTW: On GitHub you additionally can activate the Dependabot. You can enable this to receive security messages.

1 Like

It installed fine for me, when I remembered I need Hugo extended that is. I don’t have NPM installed, and the theme worked and looked great for me. I’m not really looking for a fully blown “bells and whistles” theme.

I didn’t notice any NPM influence; will read up at GitHub - frjo/hugo-theme-zen: A fast and clean Hugo theme with css-grid and Hugo pipes support. to understand how to use the options though.

Thanks. I only had a very quick look and it seems from Viewing and updating Dependabot alerts - GitHub Docs that I would need to fork a theme first to get the alerts, is that correct ?

yes, that’s correct as far as I know. And the alerts aren’t always public. My post was just meant as an additional side note.

1 Like