This study addresses the growing concern of security vulnerabilities in third-party npm packages, which threaten the integrity of dependent applications, while the real-world security practices and challenges faced by developers remain poorly understood. Through an online survey of 75 npm package developers, the research employs a mixed-methods approach to systematically examine their security awareness, current practices, barriers to adopting security tools, and desired improvements. It reveals, for the first time, that although developers value security, satisfaction with existing tools such as npm audit remains low (only 40%), with a strong preference for automated solutions hindered primarily by time constraints and high false-positive rates. The study proposes actionable recommendations—including improving vulnerability detection tools, enhancing documentation, and strengthening security education—to provide empirical grounding and practical guidance for building a more trustworthy open-source software supply chain.

Background: The Node Package Manager (npm) ecosystem plays a vital role in modern software development by providing a vast repository of packages and tools that developers can use to implement their software systems. However, recent vulnerabilities in third-party packages have led to serious security breaches, compromising the integrity of applications that depend on them. Objective: This study investigates how npm package developers perceive and handle security in their work. We examined developers'understanding of security risks, the practices and tools they use, the barriers to stronger security measures, and their suggestions for improving the npm ecosystem's security. Method: We conducted an online survey with 75 npm package developers and undertook a mixed-methods approach to analyzing their responses. Results: While developers prioritize security, they perceive their packages as only moderately secure, with concerns about supply chain attacks, dependency vulnerabilities, and malicious code. Only 40% are satisfied with the current npm security tools due to issues such as alert fatigue. Automated methods such as two-factor authentication and npm audit are favored over code reviews. Many drop dependencies due to abandonment or vulnerabilities, and typically respond to vulnerabilities in their packages by quickly releasing patches. Key barriers include time constraints and high false-positive rates. To improve npm security, developers seek better detection tools, clearer documentation, stronger account protections, and more education initiatives. Conclusion: Our findings will benefit npm package contributors and maintainers by highlighting prevalent security challenges and promoting discussions on best practices to strengthen security and trustworthiness within the npm landscape.