Editing JavaScript (section)

=== Misplaced trust in developers ===
Package management systems such as [[npm (software)|npm]] and Bower are popular with JavaScript developers. Such systems allow a developer to easily manage their program's dependencies upon other developers' program libraries. Developers trust that the maintainers of the libraries will keep them secure and up to date, but that is not always the case. A vulnerability has emerged because of this blind trust. Relied-upon libraries can have new releases that cause bugs or vulnerabilities to appear in all programs that rely upon the libraries. Inversely, a library can go unpatched with known vulnerabilities out in the wild. In a study done looking over a sample of 133,000 websites, researchers found 37% of the websites included a library with at least one known vulnerability.<ref name="jslibs">{{citation |last1=Lauinger |first1=Tobias |last2=Chaabane |first2=Abdelberi |last3=Arshad |first3=Sajjad |last4=Robertson |first4=William |last5=Wilson |first5=Christo |last6=Kirda |first6=Engin |title=Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web |url=https://www.ccs.neu.edu/home/arshad/publications/ndss2017jslibs.pdf |website=Northeastern University |access-date=28 July 2022 |archive-url=https://web.archive.org/web/20170329045344/https://www.ccs.neu.edu/home/arshad/publications/ndss2017jslibs.pdf |archive-date=29 March 2017 |doi = 10.14722/ndss.2017.23414 |date = December 21, 2016|arxiv=1811.00918 |isbn=978-1-891562-46-4 |s2cid=17885720 |url-status=dead}}</ref> "The median lag between the oldest library version used on each website and the newest available version of that library is 1,177 days in ALEXA, and development of some libraries still in active use ceased years ago."<ref name="jslibs" /> Another possibility is that the maintainer of a library may remove the library entirely. This occurred in March 2016 when Azer Koçulu removed his repository from npm. This caused tens of thousands of programs and websites depending upon his libraries to break.<ref>{{cite news |work=Quartz |url=https://qz.com/646467/how-one-programmer-broke-the-internet-by-deleting-a-tiny-piece-of-code/ |title=How one programmer broke the internet by deleting a tiny piece of code |first=Keith |last=Collins |date=March 27, 2016 |access-date=February 22, 2017 |archive-date=February 22, 2017 |archive-url=https://web.archive.org/web/20170222200836/https://qz.com/646467/how-one-programmer-broke-the-internet-by-deleting-a-tiny-piece-of-code/ |url-status=live }}</ref><ref>SC Magazine UK, [https://www.scmagazineuk.com/developers-11-lines-of-deleted-code-breaks-the-internet/article/532050/ Developer's 11 lines of deleted code 'breaks the internet'] {{Webarchive|url=https://web.archive.org/web/20170223041434/https://www.scmagazineuk.com/developers-11-lines-of-deleted-code-breaks-the-internet/article/532050/ |date=February 23, 2017 }}</ref>