NPM Security Best Practices
Note The NPM ecosystem is no stranger to compromises12, supply-chain attacks3, malware45, spam6, phishing7, incidents8 or even trolls9. In this repository, I have consolidated a list of information you might find useful in securing yourself against these incidents. Feel free to submit a Pull Request, or reach out to me on Twitter!
Tip This repository covers npm , bun , deno , pnpm , yarn and more.
Table of Contents
For Developers
1. Pin Dependency Versions
On npm , by default, a new dependency will be installed with the Caret ^ operator. This operator installs the most recent minor or patch releases. E.g., ^1.2.3 will install 1.2.3 , 1.2.4 , 1.3.0 , 1.6.2 , etc. See https://docs.npmjs.com/about-semantic-versioning and try out the npm SemVer Calculator (https://semver.npmjs.com). To avoid installing freshly compromised packages, it is often advised to pin exact versions (e.g., "my-package": "1.2.3" ).
Here's how to use the save exact flag to pin exact version in various package managers:
npm install --save-exact react pnpm add --save-exact react yarn add --save-exact react bun add --exact react deno add npm:[email protected]
We can also update this setting in configuration files (e.g., .npmrc ), with either save-exact or save-prefix alike key and value pairs:
... continue reading