Chainguard has introduced Chainguard Libraries for JavaScript, a set of trusted builds covering thousands of widely used JavaScript dependencies. Built from source on SLSA L2 infrastructure, these libraries are designed to be malware-resistant. By compiling every library and its dependencies securely from source, the solution gives security teams assurance that no malicious code has been inserted during build or distribution, closing a major gap in the JavaScript supply chain threat landscape.
Demonstrated risk in the JavaScript ecosystem
The risk in the JavaScript ecosystem isn’t theoretical: earlier this month, a number of packages used by millions of developers were compromised via malicious code. These malware attacks against popular JavaScript registries like npm, which developers download billions of times per week, demonstrated the risk of relying on traditional mechanisms for language library consumption. These public registries do not guarantee all host artifacts are vetted and do not provide assurance that the distributed library matches its source code, exposing enterprises to supply chain attacks. Compounding the issue, AI has fueled a surge in JavaScript development, multiplying both the volume and complexity of dependencies — and with it, the opportunities for attackers.
According to Gartner, Inc., the costs from software supply chain attacks will rise from $46 billion in 2023 to $138 billion by 2031. The firm also predicted that by 2028, 85% of large enterprises will have deployed software supply chain security tools to combat these risks.
Mitigating malware attacks across JavaScript dependencies
With Chainguard Libraries for JavaScript, Chainguard offers protection for one of the most critical and vulnerable parts of the supply chain: the language dependencies that developers rely on to build and deploy applications. Until now, there was no way for security teams to mitigate malware at scale without disrupting engineering workflows and productivity. This gap left organizations susceptible to the risks of malicious code that could waste resources, steal application secrets, break production systems, or even leak customer data. Chainguard Libraries for JavaScript integrates with existing artifact managers to empower application security teams to close this massive security hole while meeting developers how they work.
As with Chainguard Libraries for Java and Python, Chainguard is building every dependency for every JavaScript library from source, combating malware injection at the build and distribution links of the open source supply chain. Isolating and rebuilding the shared system dependencies required by JavaScript libraries allows Chainguard to eliminate an additional hidden attack vector stemming from bundled software components.
“Chainguard is the first to rebuild JavaScript libraries from source at scale. We are expanding on the work already completed with Chainguard Libraries for Java and Python to JavaScript, the most popular programming language in the world,” said Patrick Donahue, SVP of Product, Chainguard. “We’re rebuilding every component we publish from source daily so organizations can mitigate malware, have clear visibility into what exactly is in their software, and eliminate the risk of hidden supply chain vulnerabilities. Ultimately, we’re providing a secure, trusted source of JavaScript libraries that allows enterprises to remove friction and add security without asking developers to change how they build and deploy software.”
Chainguard Libraries for JavaScript furthers the company’s mission to make open source software trustworthy by default and gives customers greater confidence to ship products more efficiently and securely. Chainguard now helps organizations secure even more of the modern development stack, starting with the OS and runtime environment with minimal, zero-CVE containers and virtual machines, and up to the application layer with language libraries for Python, Java, and now JavaScript.
For more information or to join the waitlist for Chainguard Libraries for JavaScript, visit the website here.
Related News:
Azul and Chainguard Partner to Strengthen Security for Java Containers
