Show HN: Tips to stay safe from NPM supply chain attacks
9 hours ago
- #dependency-management
- #npm-security
- #supply-chain
- The NPM ecosystem is vulnerable to compromises, supply-chain attacks, malware, spam, phishing, and trolls.
- Use exact version pinning to avoid installing compromised packages with commands like `npm install --save-exact react`.
- Override transitive dependencies in `package.json` using the `overrides` field to ensure specific versions are used.
- Commit lockfiles (e.g., `package-lock.json`, `pnpm-lock.yaml`) to Git to ensure consistent dependency versions across environments.
- Disable lifecycle scripts to prevent malicious scripts from running during installation with commands like `npm config set ignore-scripts true`.
- Set a delay for installing newly published packages to avoid potential compromises using options like `minimumReleaseAge` in pnpm.
- Use native Node.js, Bun, or Deno features instead of third-party libraries where possible to reduce dependency risks.
- Enable two-factor authentication (2FA) for npm accounts and use granular access tokens with restricted permissions.
- Publish packages with provenance to verify build sources and ensure integrity using `npm publish --provenance`.
- Limit files included in published npm packages using the `files` field in `package.json` to reduce attack surfaces.
- Use private package registries like GitHub Packages or Verdaccio to enforce security policies and vet dependencies.
- Regularly audit dependencies for vulnerabilities using tools like `npm audit`, Socket.dev, or Snyk.
- Support open-source maintainers through donations to prevent burnout and reduce risks of social engineering attacks.