{"id":"https://openalex.org/W7126051495","doi":"https://doi.org/10.1145/3794860.3794908","title":"Understanding npm Developers\u2019 Practices, Challenges, and Recommendations for Secure Package Development","display_name":"Understanding npm Developers\u2019 Practices, Challenges, and Recommendations for Secure Package Development","publication_year":2026,"publication_date":"2026-04-12","ids":{"openalex":"https://openalex.org/W7126051495","doi":"https://doi.org/10.1145/3794860.3794908"},"language":null,"primary_location":{"id":"doi:10.1145/3794860.3794908","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3794860.3794908","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 19th International Conference on Cooperative and Human Aspects of Software Engineering","raw_type":"proceedings-article"},"type":"article","indexed_in":["arxiv","crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://doi.org/10.1145/3794860.3794908","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5034384030","display_name":"Anthony Peruma","orcid":"https://orcid.org/0000-0003-2585-657X"},"institutions":[{"id":"https://openalex.org/I117965899","display_name":"University of Hawai\u02bbi at M\u0101noa","ror":"https://ror.org/01wspgy28","country_code":"US","type":"education","lineage":["https://openalex.org/I117965899"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Anthony Peruma","raw_affiliation_strings":["University of Hawai\u2018i at M\u0101noa, Honolulu, Hawaii, USA"],"raw_orcid":"https://orcid.org/0000-0003-2585-657X","affiliations":[{"raw_affiliation_string":"University of Hawai\u2018i at M\u0101noa, Honolulu, Hawaii, USA","institution_ids":["https://openalex.org/I117965899"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5123692583","display_name":"Truman Choy","orcid":null},"institutions":[{"id":"https://openalex.org/I117965899","display_name":"University of Hawai\u02bbi at M\u0101noa","ror":"https://ror.org/01wspgy28","country_code":"US","type":"education","lineage":["https://openalex.org/I117965899"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Truman Choy","raw_affiliation_strings":["University of Hawai\u2018i at M\u0101noa, Honolulu, Hawaii, USA"],"raw_orcid":"https://orcid.org/0009-0002-6336-7873","affiliations":[{"raw_affiliation_string":"University of Hawai\u2018i at M\u0101noa, Honolulu, Hawaii, USA","institution_ids":["https://openalex.org/I117965899"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5124170002","display_name":"Gerald Lee","orcid":null},"institutions":[{"id":"https://openalex.org/I117965899","display_name":"University of Hawai\u02bbi at M\u0101noa","ror":"https://ror.org/01wspgy28","country_code":"US","type":"education","lineage":["https://openalex.org/I117965899"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Gerald Lee","raw_affiliation_strings":["University of Hawai\u2018i at M\u0101noa, Honolulu, Hawaii, USA"],"raw_orcid":"https://orcid.org/0009-0001-4569-3950","affiliations":[{"raw_affiliation_string":"University of Hawai\u2018i at M\u0101noa, Honolulu, Hawaii, USA","institution_ids":["https://openalex.org/I117965899"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5124238900","display_name":"Italo De Oliveira Santos","orcid":null},"institutions":[{"id":"https://openalex.org/I117965899","display_name":"University of Hawai\u02bbi at M\u0101noa","ror":"https://ror.org/01wspgy28","country_code":"US","type":"education","lineage":["https://openalex.org/I117965899"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Italo De Oliveira Santos","raw_affiliation_strings":["University of Hawai\u2018i at M\u0101noa, Honolulu, Hawaii, USA"],"raw_orcid":"https://orcid.org/0000-0002-7545-6104","affiliations":[{"raw_affiliation_string":"University of Hawai\u2018i at M\u0101noa, Honolulu, Hawaii, USA","institution_ids":["https://openalex.org/I117965899"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":1,"corresponding_author_ids":[],"corresponding_institution_ids":["https://openalex.org/I117965899"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":true,"cited_by_count":0,"citation_normalized_percentile":{"value":0.07194517,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"272","last_page":"282"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.3447999954223633,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.3447999954223633,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.10379999876022339,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T13999","display_name":"Digital Rights Management and Security","score":0.04600000008940697,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.4869000017642975},{"id":"https://openalex.org/keywords/authentication","display_name":"Authentication (law)","score":0.44040000438690186},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.4390000104904175},{"id":"https://openalex.org/keywords/data-breach","display_name":"Data breach","score":0.42419999837875366},{"id":"https://openalex.org/keywords/data-integrity","display_name":"Data integrity","score":0.41029998660087585},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.39910000562667847},{"id":"https://openalex.org/keywords/dependency","display_name":"Dependency (UML)","score":0.38199999928474426},{"id":"https://openalex.org/keywords/data-security","display_name":"Data security","score":0.3806999921798706},{"id":"https://openalex.org/keywords/audit","display_name":"Audit","score":0.3734999895095825}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6122000217437744},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5088000297546387},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.4869000017642975},{"id":"https://openalex.org/C148417208","wikidata":"https://www.wikidata.org/wiki/Q4825882","display_name":"Authentication (law)","level":2,"score":0.44040000438690186},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.4390000104904175},{"id":"https://openalex.org/C165609540","wikidata":"https://www.wikidata.org/wiki/Q1172486","display_name":"Data breach","level":2,"score":0.42419999837875366},{"id":"https://openalex.org/C33762810","wikidata":"https://www.wikidata.org/wiki/Q461671","display_name":"Data integrity","level":2,"score":0.41029998660087585},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.39910000562667847},{"id":"https://openalex.org/C19768560","wikidata":"https://www.wikidata.org/wiki/Q320727","display_name":"Dependency (UML)","level":2,"score":0.38199999928474426},{"id":"https://openalex.org/C10511746","wikidata":"https://www.wikidata.org/wiki/Q899388","display_name":"Data security","level":3,"score":0.3806999921798706},{"id":"https://openalex.org/C199521495","wikidata":"https://www.wikidata.org/wiki/Q181487","display_name":"Audit","level":2,"score":0.3734999895095825},{"id":"https://openalex.org/C184356942","wikidata":"https://www.wikidata.org/wiki/Q830382","display_name":"Best practice","level":2,"score":0.3386000096797943},{"id":"https://openalex.org/C2779816988","wikidata":"https://www.wikidata.org/wiki/Q305418","display_name":"Abandonment (legal)","level":2,"score":0.3377000093460083},{"id":"https://openalex.org/C77109596","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Application security","level":5,"score":0.336899995803833},{"id":"https://openalex.org/C153701036","wikidata":"https://www.wikidata.org/wiki/Q659974","display_name":"Trustworthiness","level":2,"score":0.33219999074935913},{"id":"https://openalex.org/C195094911","wikidata":"https://www.wikidata.org/wiki/Q14167904","display_name":"Process management","level":1,"score":0.3206000030040741},{"id":"https://openalex.org/C529173508","wikidata":"https://www.wikidata.org/wiki/Q638608","display_name":"Software development","level":3,"score":0.3190999925136566},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.3149999976158142},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.31119999289512634},{"id":"https://openalex.org/C145097563","wikidata":"https://www.wikidata.org/wiki/Q1148747","display_name":"Payment","level":2,"score":0.31060001254081726},{"id":"https://openalex.org/C154908896","wikidata":"https://www.wikidata.org/wiki/Q2167404","display_name":"Security policy","level":2,"score":0.30140000581741333},{"id":"https://openalex.org/C71745522","wikidata":"https://www.wikidata.org/wiki/Q2476929","display_name":"Confidentiality","level":2,"score":0.30059999227523804},{"id":"https://openalex.org/C29983905","wikidata":"https://www.wikidata.org/wiki/Q7445066","display_name":"Security service","level":3,"score":0.2976999878883362},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.28049999475479126},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.2669000029563904},{"id":"https://openalex.org/C123551368","wikidata":"https://www.wikidata.org/wiki/Q7122888","display_name":"Package development process","level":5,"score":0.2621999979019165},{"id":"https://openalex.org/C117447612","wikidata":"https://www.wikidata.org/wiki/Q1412670","display_name":"Software quality","level":4,"score":0.2581999897956848},{"id":"https://openalex.org/C83163435","wikidata":"https://www.wikidata.org/wiki/Q3954104","display_name":"Security management","level":2,"score":0.25279998779296875},{"id":"https://openalex.org/C2776831232","wikidata":"https://www.wikidata.org/wiki/Q966812","display_name":"Trusted Computing","level":2,"score":0.2522999942302704}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1145/3794860.3794908","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3794860.3794908","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 19th International Conference on Cooperative and Human Aspects of Software Engineering","raw_type":"proceedings-article"},{"id":"pmh:oai:arXiv.org:2601.20240","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2601.20240","pdf_url":"https://arxiv.org/pdf/2601.20240","source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"}],"best_oa_location":{"id":"doi:10.1145/3794860.3794908","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3794860.3794908","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 19th International Conference on Cooperative and Human Aspects of Software Engineering","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Background:":[0],"The":[1],"Node":[2],"Package":[3],"Manager":[4],"(npm)":[5],"ecosystem":[6],"plays":[7],"a":[8,17,110],"vital":[9],"role":[10],"in":[11,36,66,185],"modern":[12],"software":[13,31],"development":[14],"by":[15,188,229],"providing":[16],"vast":[18],"repository":[19],"of":[20,48,73],"packages":[21,38,125,187],"and":[22,63,78,88,108,138,164,180,197,215,227,234,243],"tools":[23,79,150],"that":[24,50],"developers":[25,61,107,119,205],"can":[26],"use":[27],"to":[28,41,84,113,152,176,183,240],"implement":[29],"their":[30,67,89,115,124,186],"systems.":[32],"However,":[33],"recent":[34],"vulnerabilities":[35,184],"third-party":[37],"have":[39],"led":[40],"serious":[42],"security":[43,65,74,86,149,232,242],"breaches,":[44],"compromising":[45],"the":[46,76,82,93,146,246],"integrity":[47],"applications":[49],"depend":[51],"on":[52,237],"them.":[53],"Objective:":[54],"This":[55],"study":[56],"investigates":[57],"how":[58],"npm":[59,94,105,148,165,203,224,247],"package":[60,106,225],"perceive":[62,123],"handle":[64],"work.":[68],"We":[69,98],"examined":[70],"developers'":[71],"understanding":[72],"risks,":[75],"practices":[77,239],"they":[80,122],"use,":[81],"barriers":[83,193],"stronger":[85,212],"measures,":[87],"suggestions":[90],"for":[91],"improving":[92],"ecosystem's":[95],"security.":[96],"Method:":[97],"conducted":[99],"an":[100],"online":[101],"survey":[102],"with":[103,130,145],"75":[104],"undertook":[109],"mixed-methods":[111],"approach":[112],"analyzing":[114],"responses.":[116],"Results:":[117],"While":[118],"prioritize":[120],"security,":[121,204],"as":[126,155,161],"only":[127],"moderately":[128],"secure,":[129],"concerns":[131],"about":[132],"supply":[133],"chain":[134],"attacks,":[135],"dependency":[136],"vulnerabilities,":[137,179],"malicious":[139],"code.":[140],"Only":[141],"40%":[142],"are":[143,167],"satisfied":[144],"current":[147],"due":[151,175],"issues":[153],"such":[154,160],"alert":[156],"fatigue.":[157],"Automated":[158],"methods":[159],"two-factor":[162],"authentication":[163],"audit":[166],"favored":[168],"over":[169],"code":[170],"reviews.":[171],"Many":[172],"drop":[173],"dependencies":[174],"abandonment":[177],"or":[178],"typically":[181],"respond":[182],"quickly":[189],"releasing":[190],"patches.":[191],"Key":[192],"include":[194],"time":[195],"constraints":[196],"high":[198],"false-positive":[199],"rates.":[200],"To":[201],"improve":[202],"seek":[206],"better":[207],"detection":[208],"tools,":[209],"clearer":[210],"documentation,":[211],"account":[213],"protections,":[214],"more":[216],"education":[217],"initiatives.":[218],"Conclusion:":[219],"Our":[220],"findings":[221],"will":[222],"benefit":[223],"contributors":[226],"maintainers":[228],"highlighting":[230],"prevalent":[231],"challenges":[233],"promoting":[235],"discussions":[236],"best":[238],"strengthen":[241],"trustworthiness":[244],"within":[245],"landscape.":[248]},"counts_by_year":[],"updated_date":"2026-07-10T05:55:21.843218","created_date":"2026-01-30T00:00:00"}
