npm had a security meltdown, what can we do?
This is a hard problem to solve, because it all comes down to trust. npm will probably try and solve parts of this (they have to now), but we should also be taking action on our end.
- Run unpublished-dependencies to see if your code is affected by the 2016-03-23 meltdown.
- Hook into nodesecurity.io and / or snyk.io to stay on top of security issues
- Hook into greenkeeper.io to not have outdated dependencies
- [unsolved] detect if any package in your dependency tree has been unpublished
before pulling it in - unpublishing means owner ship change could compromise;
should run before
npm install
- prune dependency tree - less dependencies is less untrusted code, which means less things can go wrong - dependency-check can help with this
- never run things as root
- lock down production permissions - use unix profiles and downgrade to change profiles after program is finished setting up - makes exploits harder to use
- lock down external connections - use apparmor / bane to lock down permissions (commands, filesystem, network, etc.)
It seems npm is going to make unpublishing a lot harder, and take steps to prevent historical deps from breaking builds, making the dep tree error thing a lot harder to do. - Let's see what they come up with.