What I've found after scraping 1740 Meteor apps

I've discovered Meteor 2 years ago and I completely fell in love. Ever since I did, I've used Meteor almost everyday. I've become the Paris/FR ambassador, created the biggest non-english speaking Meteor community (4th biggest one worldwide).

With my friend Alban, we often talk about Meteor. One day we were wondering how people were using Meteor: what packages they use, what version of Meteor is the most used, etc.

A few days ago, I decided to scrape all the Meteor apps I could find and I extracted some statistics. Since we don’t have the resources to wget/grep all the Internet (if you can do that, I’ll be happy to discuss with you, contact me), we did some tricks to quickly get a few of them.

After a few hours, we finally found 1740 unique Meteor apps, half of them were sub-domains of meteor.com (the free hosting provided by Meteor).

Meteor versions

The first easy thing we wanted to extract was which versions of Meteor these websites were using. Here are the results:

28% of the apps are using the new Meteor 1.0 version that was released one month ago.

But still, a vast majority of users are running on older versions: 32% version 0.9.*, 18% version 0.8.*.

It’s interesting to note that 31 apps have hidden the version number and displayed “none”. I don’t know how they did that but it’s surely for “security” reason.

Meteor packages

The next thing we wanted to know was what packages were the most used ones — among the 3000 Meteor has. We extracted, from the scraped apps, 1462 unique packages, cleaned the data, removing the MDG and default packages. Here are the top used packages:

Without any surprise, iron-router, the famous Router system for Meteor, is number one, far before the other packages. iron:core is the new package name and iron-router the old one, so in total 61% of apps use it. Hard to live without it.

Arunoda will be happy to see that 116 apps are using his amazing Meteor Performance Monitoring tool, kadira.

You can find the full stat on this spreadsheet.

Meteor Security

In reality, the first secret we wanted to discover is how secure Meteor apps are.

Meteor provides really good solutions to make your app secured. By default, everything is done to avoid security issues.

For instance (from a Quora answer):

* It doesn't use session cookies. So no Cross-Site Request Forgeries.
* All user input HTML is escaped automatically when passed to the database. There is no way to do database injection, even if you tried.
* All user input is HTML-escaped when being displayed back to the client, thanks to the Handlebars-like {{…}} templates. No XSS.
* Meteor uses the best crypto to store hashed passwords — bcrypt.
* By default, you cannot pass “javascript:” in “a” tag
and the list continue.

Meteor helps developers as much as it can, but, the programmer still have to know what he does and how to avoid creating security holes.

Insecure package

By default, Meteor app comes with a package called insecure so everybody can execute mongodb query on the server without any check. It’s really useful to build prototype fast but it’s something that must be removed if you want to do something serious.

We found 417 apps with insecure package installed. It’s only a problem if you have collections so we filtered that and in the end, 221 apps have insecure installed and at least one collection.

In this list, there’s lot of “hello world” apps but also some real apps and for these apps, it’s really not a good idea. It means a bad guy could do a mongodb insert query in the user collection and have an access to the app.

He can also just insert, modify or delete whatever he wants on the collection. Big mess ahead.

Autopublish package

This is another package installed by default, that is also used to quickly develop prototypes. With this package installed, all contents of all collections are sent to all clients.

292 apps have this package. Again, it’s a problem only if you have collections; 115 have at least one collection.

It could be a problem if some documents in the app contains private information (crypted password, api keys, …). In this case, everybody can see these information.

Conclusion

We have lot of other cool findings to share. We used Alexa to rank Meteor apps and discard “hello world” apps so that we have better statistics.

With the scraping and ranking, we’ve found some real apps we’ve never heard of and so we decided to create a weekly newsletter to share all our discoveries with you.

The newsletter will contain some cool apps we’ve found, cool packages, security issues and a lot more…

Subscribe to the Meteor Secret newsletter.