npmSECO: A Tool for Integrating Trust into the Software Ecosystem
Publication date
2025-03-23
Editors
Papatheocharous, Efi
Farshidi, Siamak
Jansen, Slinger
Hyrynsalmi, Sonja
Advisors
Supervisors
Document Type
Part of book
Metadata
Show full item recordCollections
License
taverne
Abstract
Selecting software packages is challenging due to the multitude of trust factors involved, such as functionality, compatibility, security, or maintenance, which often requires comprehensive analysis and cross-referencing. Additionally, the tons of software packages and their dependencies can overwhelm decision-makers, leading to potential oversights and inefficiencies in the selection process for critical vulnerabilities. This paper introduces npmSECO, an open-source initiative designed to evaluate the trust and security of software packages before and after installation. We infuse trust data, including trust factors and scores, into a package ecosystem - npm, which is well known for its vulnerabilities and extensive dependency tree to create a more secure environment for software engineers to produce software in. Trust scores and factors are displayed in the command line interface, helping software engineers access rich information for software evaluation in one place before the package installation. We conducted 20 interviews with software engineers to assess this tool. Preliminary feedback indicates that npmSECO offers a high level of usability.
Keywords
Package Evaluation, Software Ecosystem, Software Package, Software trust, Taverne, Management Information Systems, Control and Systems Engineering, Business and International Management, Information Systems, Modelling and Simulation, Information Systems and Management
Citation
Hou, F, Temelko, A & Voordouw, M 2025, npmSECO : A Tool for Integrating Trust into the Software Ecosystem. in E Papatheocharous, S Farshidi, S Jansen & S Hyrynsalmi (eds), Software Business - 15th International Conference, ICSOB 2024, Proceedings. Lecture Notes in Business Information Processing, vol. 539 LNBIP, Springer, pp. 366-381, 15th International Conference on Software Business, ICSOB 2024, Utrecht, Netherlands, 18/11/24. https://doi.org/10.1007/978-3-031-85849-9_29, conference