Background: The Node Package Manager (npm) ecosystem plays a vital role in modern software development by providing a vast repository of packages and tools that developers can use to implement their software systems. However, recent vulnerabilities in third-party packages have led to serious security breaches, compromising the integrity of applications that depend on them. Objective: This study investigates how npm package developers perceive and handle security in their work. We examined developers' understanding of security risks, the practices and tools they use, the barriers to stronger security measures, and their suggestions for improving the npm ecosystem's security. Method: We conducted an online survey with 75 npm package developers and undertook a mixed-methods approach to analyzing their responses. Results: While developers prioritize security, they perceive their packages as only moderately secure, with concerns about supply chain attacks, dependency vulnerabilities, and malicious code. Only 40% are satisfied with the current npm security tools due to issues such as alert fatigue. Automated methods such as two-factor authentication and npm audit are favored over code reviews. Many drop dependencies due to abandonment or vulnerabilities, and typically respond to vulnerabilities in their packages by quickly releasing patches. Key barriers include time constraints and high false-positive rates. To improve npm security, developers seek better detection tools, clearer documentation, stronger account protections, and more education initiatives. Conclusion: Our findings will benefit npm package contributors and maintainers by highlighting prevalent security challenges and promoting discussions on best practices to strengthen security and trustworthiness within the npm landscape.

翻译：背景：Node Package Manager (npm) 生态系统通过提供庞大的软件包与工具库供开发者用于构建软件系统，在现代软件开发中扮演着关键角色。然而，近期第三方软件包中的漏洞已导致严重的安全漏洞，损害了依赖这些软件包的应用程序的完整性。目标：本研究探讨 npm 软件包开发者如何认知和处理其工作中的安全问题。我们考察了开发者对安全风险的理解、他们采用的实践与工具、实施更强安全措施的障碍，以及他们对改善 npm 生态系统安全的建议。方法：我们对 75 位 npm 软件包开发者进行了在线调查，并采用混合方法分析其回应。结果：尽管开发者重视安全，但他们认为自己的软件包仅具有中等安全性，并担忧供应链攻击、依赖项漏洞和恶意代码等问题。仅有 40% 的开发者对当前 npm 安全工具表示满意，原因包括警报疲劳等问题。自动化方法（如双因素认证和 npm audit）比代码审查更受青睐。许多开发者因废弃或漏洞问题而移除依赖项，并通常通过快速发布补丁来应对其软件包中的漏洞。主要障碍包括时间限制和高误报率。为提升 npm 安全性，开发者寻求更好的检测工具、更清晰的文档、更强的账户保护措施以及更多的教育计划。结论：我们的研究结果通过突显普遍存在的安全挑战并推动关于最佳实践的讨论以增强 npm 领域的安全性与可信度，将使 npm 软件包贡献者和维护者受益。