npm

  • Avoid publishing secrets (API keys, passwords or other secrets) to the npm registry.

    • When updating the .gitignore file, also update .npmignore.

    • The ignore files function as blacklist. Instead, use the files property in package.json. It works as a whitelist and specifies the array of files to be included in the package (the ignore file functions as a blacklist). They can be used together to determine which files should explicitly be included and excluded from the package. The files property in package.json takes precedence over the ignore file.

    • Before publishing do a dry run by adding the --dry-run argument to the publish command to review what will be in the tarball.

  • Enforce the lockfile (yarn install --frozen-lockfile, npm ci)

  • Reduce attack surface

    • Do not immediately and blindly upgrade to new versions; wait a while (but not until they are outdated of course).

    • Before upgrading, review changelog and release notes.

    • When installing packages, add the --ignore-scripts suffix to disable the execution of scripts by third-party packages.

    • Perhaps add ignore-scripts to the .npmrc project file or the global npm configuration.

  • Maintain project health

    • Run npm outdated to see if any packages are out of date.

    • Run npm doctor to review the npm setup.

      • Check that the official npm registry is reachable and displays the currently configured registry.

      • Check Git is available.

      • Review installed npm and Node.js versions.

      • Run permission checks on the local and global node_modules, and package cache folders.

      • Check the local npm module cache checksum.

  • Audit for vulnerabilities in open source dependencies. Scan with snyk and/or npm audit. See Comparing npm audit with Snyk