The Documentation Attack Surface: How npm Libraries Teach Insecure Patterns

Most security audits focus on code. But across five reviews of high-profile npm libraries — totaling 195 million weekly downloads — I found the same pattern: the code is secure, but the README teaches developers to be insecure. One finding resulted in a GitHub Security Advisory (GHSA-8wrj-g34g-4865) filed at the axios maintainer's request. This isn't a bug in any single library. It's a systemic issue in how the npm ecosystem documents security-sensitive operations. The Pattern A library implements a secure default. Then its README shows a simplified example that strips away the security. Developers copy the example. The library's download count becomes a multiplier for the insecure pattern. Case 1: axios — Credential Re-injection After Security Stripping (65M weekly downloads) The code: follow-redirects (axios's redirect handler) strips authorization headers when redirecting to a less secure protocol (HTTPS → HTTP) or a different domain — a deliberate security mechanism. The README: be