npmSECO: A Tool for Integrating Trust into the Software Ecosystem

Publication date

2025-03-23

Authors

Hou, FangISNI 0000000523803102
Temelko, Angel
Voordouw, Martijn

Editors

Papatheocharous, Efi
Farshidi, Siamak
Jansen, Slinger
Hyrynsalmi, Sonja

Advisors

Supervisors

Document Type

Part of book
Open Access logo

License

taverne

Abstract

Selecting software packages is challenging due to the multitude of trust factors involved, such as functionality, compatibility, security, or maintenance, which often requires comprehensive analysis and cross-referencing. Additionally, the tons of software packages and their dependencies can overwhelm decision-makers, leading to potential oversights and inefficiencies in the selection process for critical vulnerabilities. This paper introduces npmSECO, an open-source initiative designed to evaluate the trust and security of software packages before and after installation. We infuse trust data, including trust factors and scores, into a package ecosystem - npm, which is well known for its vulnerabilities and extensive dependency tree to create a more secure environment for software engineers to produce software in. Trust scores and factors are displayed in the command line interface, helping software engineers access rich information for software evaluation in one place before the package installation. We conducted 20 interviews with software engineers to assess this tool. Preliminary feedback indicates that npmSECO offers a high level of usability.

Keywords

Package Evaluation, Software Ecosystem, Software Package, Software trust, Taverne, Management Information Systems, Control and Systems Engineering, Business and International Management, Information Systems, Modelling and Simulation, Information Systems and Management

Citation

Hou, F, Temelko, A & Voordouw, M 2025, npmSECO : A Tool for Integrating Trust into the Software Ecosystem. in E Papatheocharous, S Farshidi, S Jansen & S Hyrynsalmi (eds), Software Business - 15th International Conference, ICSOB 2024, Proceedings. Lecture Notes in Business Information Processing, vol. 539 LNBIP, Springer, pp. 366-381, 15th International Conference on Software Business, ICSOB 2024, Utrecht, Netherlands, 18/11/24. https://doi.org/10.1007/978-3-031-85849-9_29, conference