Chainguard Libraries for JavaScript provides developers with malware-free dependencies

Chainguard released Chainguard Libraries for JavaScript, a collection of trusted builds of thousands of common JavaScript dependencies that are malware-resistant and built from source on SLSA L2 infrastructure.

By securely building every library and all of its dependencies from source, Chainguard Libraries for JavaScript provides security and engineering teams with confidence that malware has not been inserted during the build or distribution of libraries in the JavaScript ecosystem, eliminating a significant gap in the threat landscape.

Demonstrated risk in the JavaScript ecosystem

The risk in the JavaScript ecosystem isn’t theoretical. Earlier this month, a number of packages used by millions of developers were compromised via malicious code. These malware attacks against popular JavaScript registries like npm, which developers download billions of times per week, demonstrated the risk of relying on traditional mechanisms for language library consumption.

These public registries do not guarantee all host artifacts are vetted and do not provide assurance that the distributed library matches its source code, exposing enterprises to supply chain attacks. Compounding the issue, AI has fueled a surge in JavaScript development, multiplying both the volume and complexity of dependencies — and with it, the opportunities for attackers.

According to Gartner, “A source estimates costs from software supply chain attacks will rise from $46 billion in 2023 to $138 billion by 2031.” The firm also predicted that “by 2028, 85% of large enterprises will have deployed software supply chain security tools to combat these risks.”

Mitigating malware attacks across JavaScript dependencies

With Chainguard Libraries for JavaScript, Chainguard offers protection for the language dependencies that developers rely on to build and deploy applications. Until now, there was no way for security teams to mitigate malware at scale without disrupting engineering workflows and productivity. This gap left organizations susceptible to the risks of malicious code that could waste resources, steal application secrets, break production systems, or even leak customer data.

Chainguard Libraries for JavaScript integrates with existing artifact managers, such as JFrog Artifactory and Sonatype Nexus, to empower application security teams to close this massive security hole while meeting developers how they work.

As with Chainguard Libraries for Java and Python, Chainguard is building every dependency for every JavaScript library from source, combating malware injection at the build and distribution links of the open source supply chain. Isolating and rebuilding the shared system dependencies required by JavaScript libraries allows Chainguard to eliminate an additional hidden attack vector stemming from bundled software components.

“Chainguard is the first to rebuild JavaScript libraries from source at scale. We are expanding on the work already completed with Chainguard Libraries for Java and Python to JavaScript, the most popular programming language in the world,” said Patrick Donahue, SVP of Product, Chainguard. “We’re rebuilding every component we publish from source so organizations can mitigate malware, have clear visibility into what exactly is in their software, and eliminate the risk of hidden supply chain vulnerabilities. Ultimately, we’re providing a secure, trusted source of JavaScript libraries that allows enterprises to remove friction and add security without asking developers to change how they build and deploy software.”

Chainguard Libraries for JavaScript furthers the company’s mission to make open source software trustworthy by default and gives customers greater confidence to ship products more efficiently and securely. Chainguard now helps organizations secure even more of development stack, starting with the OS and runtime environment with minimal, zero-CVE containers and virtual machines, and up to the application layer with language libraries for Python, Java, and now JavaScript.

“The recent compromises in popular npm packages highlight just how easy it still is for attackers to slip malicious code into the software supply chain. Chainguard’s approach to open source software security flips that paradigm — by rebuilding every JavaScript library from source, they will give development teams a way to eliminate common supply chain attacks and actually have a trusted source for packaged libraries. The open source community has done a herculean effort to bring software to the masses, but policing it falls to commercial entities,” said Rob Gil, Security Architect at Okta.

“JavaScript has long been the backbone of modern application development, but the ecosystem’s dependency sprawl and security gaps come with risks,” explains Kate Holterhoff, senior analyst at RedMonk. “Chainguard’s decision to rebuild libraries from source addresses these risks by providing a trusted supply of JavaScript dependencies that is more able to resist malware.”

Chainguard Libraries for JavaScript is now available in closed beta.