NPM is very popular / widespread. Typically JS developers run npm install
/yarn install
on dev machines and CI servers many times per day. Modern npm-based project usually brings thousands of packages. There are two types of threats:
- Vulnerable packages targeting runtime of your app - can harvest user data / perform mining etc.
- Vulnerable packages targeting your environment - can harvest ssh keys / auth tokens etc.
Threat #1 can be mitigated by npm audit
/ lockfiles / caches as typically there is some time span between dependency installation and go live.
Threat #2 is more dangerous as it takes place immediately after npm install
is executed.
One should keep in mind that when install
performed any dependency can execute post install script which is regular node process. It can do anything whatever allowed to the current user. (That’s why sudo npm
is double dangerous)
https://blog.npmjs.org/post/141702881055/package-install-scripts-vulnerability
That might be surprise but there is no relation between github repo and package in npm registry (which is used by yarn/pnpm also). One may publish any code as a package with a link to some existing popular github repo.
In order to protect your environment run node/npm in isolation, use docker node image
Example of npm install
:
docker run -u node -v "$PWD":/home/node/app -w /home/node/app --rm node:10.14-alpine npm install
Running server:
docker run -u node -v "$PWD":/home/node/app -w /home/node/app -p 3000:3000 --rm node:10.14-alpine npm run start
Run interactive session
docker run -it --entrypoint /bin/bash -u node -v "$PWD":/home/node/app -w /home/node/app --rm node:10.14-alpine
In order to use it conveniently make shortcuts in .bashrc
:
alias dn10 = 'docker run -u node -v "$PWD":/home/node/app -w /home/node/app --rm node:10.14-alpine'
alias dn10p = 'docker run -u node -v "$PWD":/home/node/app -w /home/node/app -p 3000:3000 --rm node:10.14-alpine'
alias dn10i = 'docker run -it --entrypoint /bin/bash -u node -v "$PWD":/home/node/app -w /home/node/app --rm node:10.14-alpine'
You can use yarn since it's also in node image
cd my_project
dn10 yarn install
dn10p yarn start