npm Security and Auditing

Security is critical when using third-party packages. Let's learn how to keep your dependencies safe.

The Security Challenge

Every package you install can:

Have vulnerabilities
Include malicious code
Pull in vulnerable dependencies
Be hijacked by attackers

The average Node.js project has hundreds of dependencies, creating a large attack surface.

npm audit

npm includes a built-in security scanner:

npm audit

This checks your dependencies against the npm security advisory database.

Audit Output

# npm audit report

lodash  <4.17.21
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1523
fix available via `npm audit fix`
node_modules/lodash

1 high severity vulnerability

Understanding Severity Levels

Severity	Meaning
Critical	Immediate action required
High	Significant vulnerability
Moderate	Less severe, but fix soon
Low	Minor issues

Fixing Vulnerabilities

Automatic Fix

npm audit fix

This updates packages within semver ranges.

Force Major Updates

npm audit fix --force

Warning: This may include breaking changes!

Manual Fix

Sometimes you need to manually update:

# Update specific package
npm update lodash

# Or install latest version
npm install lodash@latest

Overriding Nested Dependencies

When a vulnerability is in a nested dependency:

{
  "overrides": {
    "vulnerable-package": "^2.0.0"
  }
}

Practice: Security Configuration

npm audit in CI/CD

Fail builds on vulnerabilities:

# Fail on any vulnerability
npm audit

# Fail only on high/critical
npm audit --audit-level=high

# Fail only on critical
npm audit --audit-level=critical

Example GitHub Actions:

- name: Security Audit
  run: npm audit --audit-level=high

Lock File Security

The lock file provides security benefits:

Pins exact versions - No surprise updates
Integrity hashes - Verifies packages
Reproducibility - Same versions everywhere

{
  "packages": {
    "node_modules/lodash": {
      "version": "4.17.21",
      "integrity": "sha512-v2kDEe57lecTu..."
    }
  }
}

Common Attack Vectors

1. Typosquatting

Attackers publish packages with similar names:

lodash (real) vs 1odash (fake)
express (real) vs expresss (fake)

Prevention: Double-check package names before installing.

2. Dependency Confusion

Attackers publish public packages with the same name as internal packages.

Prevention: Use scoped packages (@company/package).

3. Account Hijacking

Maintainer accounts get compromised.

Prevention:

Check package popularity and maintenance
Review recent updates
Use lock files

4. Malicious Updates

A legitimate package is updated with malicious code.

Prevention:

Use lock files
Review updates before deploying
Use npm ci in production

Security Best Practices

1. Keep Dependencies Updated

# Check for outdated packages
npm outdated

# Update within semver ranges
npm update

# Check for major updates
npx npm-check-updates

2. Use Lock Files

Always commit package-lock.json and use npm ci in CI/CD.

3. Minimize Dependencies

# Check what you're installing
npm info package dependencies

Ask yourself:

Do I really need this package?
Can I write this code myself?
How many dependencies does it bring?

4. Review Before Installing

# View package details
npm view package-name

# Check bundle size
npx bundlephobia package-name

# Open npm page
npm home package-name

5. Use Trusted Sources

Check download counts
Check last publish date
Check maintainer reputation
Read the source code

Security Tools

Snyk

npm install -g snyk
snyk test
snyk monitor

Socket.dev

npx socket npm info lodash

npm-audit-resolver

npx npm-audit-resolver

Allows you to mark vulnerabilities as reviewed/ignored.

Two-Factor Authentication

Enable 2FA for your npm account:

Go to npmjs.com/settings
Enable 2FA
Use auth app or security key

For publishing:

npm profile enable-2fa auth-and-writes

Reporting Vulnerabilities

Found a vulnerability? Report it:

npm: security@npmjs.com
Package maintainer: Check SECURITY.md
GitHub: Security Advisories

Summary: Security Checklist

Task	Command
Run audit	`npm audit`
Fix issues	`npm audit fix`
Check outdated	`npm outdated`
CI/CD audit	`npm audit --audit-level=high`
Review package	`npm view package-name`

Key Takeaways

Run npm audit regularly
Use lock files for reproducibility
Minimize dependencies when possible
Review packages before installing
Enable 2FA on your npm account
Stay updated on security advisories

Course Complete!

Congratulations! You now understand:

What npm is and how it works
How to manage package.json
Installing and managing dependencies
Semantic versioning
npm scripts
Global vs local packages
Lock files and reproducibility
npm alternatives
Publishing packages
Security best practices

You're ready to use npm effectively in your JavaScript projects!

npm Security and Auditing

Security is critical when using third-party packages. Let's learn how to keep your dependencies safe.

The Security Challenge

Every package you install can:

Have vulnerabilities
Include malicious code
Pull in vulnerable dependencies
Be hijacked by attackers

The average Node.js project has hundreds of dependencies, creating a large attack surface.

npm audit

npm includes a built-in security scanner:

npm audit

This checks your dependencies against the npm security advisory database.

Audit Output

# npm audit report

lodash  <4.17.21
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1523
fix available via `npm audit fix`
node_modules/lodash

1 high severity vulnerability

Understanding Severity Levels

Severity	Meaning
Critical	Immediate action required
High	Significant vulnerability
Moderate	Less severe, but fix soon
Low	Minor issues

Fixing Vulnerabilities

Automatic Fix

npm audit fix

This updates packages within semver ranges.

Force Major Updates

npm audit fix --force

Warning: This may include breaking changes!

Manual Fix

Sometimes you need to manually update:

# Update specific package
npm update lodash

# Or install latest version
npm install lodash@latest

Overriding Nested Dependencies

When a vulnerability is in a nested dependency:

{
  "overrides": {
    "vulnerable-package": "^2.0.0"
  }
}

Practice: Security Configuration

npm audit in CI/CD

Fail builds on vulnerabilities:

# Fail on any vulnerability
npm audit

# Fail only on high/critical
npm audit --audit-level=high

# Fail only on critical
npm audit --audit-level=critical

Example GitHub Actions:

- name: Security Audit
  run: npm audit --audit-level=high

Lock File Security

The lock file provides security benefits:

Pins exact versions - No surprise updates
Integrity hashes - Verifies packages
Reproducibility - Same versions everywhere

{
  "packages": {
    "node_modules/lodash": {
      "version": "4.17.21",
      "integrity": "sha512-v2kDEe57lecTu..."
    }
  }
}

Common Attack Vectors

1. Typosquatting

Attackers publish packages with similar names:

lodash (real) vs 1odash (fake)
express (real) vs expresss (fake)

Prevention: Double-check package names before installing.

2. Dependency Confusion

Attackers publish public packages with the same name as internal packages.

Prevention: Use scoped packages (@company/package).

3. Account Hijacking

Maintainer accounts get compromised.

Prevention:

Check package popularity and maintenance
Review recent updates
Use lock files

4. Malicious Updates

A legitimate package is updated with malicious code.

Prevention:

Use lock files
Review updates before deploying
Use npm ci in production

Security Best Practices

1. Keep Dependencies Updated

# Check for outdated packages
npm outdated

# Update within semver ranges
npm update

# Check for major updates
npx npm-check-updates

2. Use Lock Files

Always commit package-lock.json and use npm ci in CI/CD.

3. Minimize Dependencies

# Check what you're installing
npm info package dependencies

Ask yourself:

Do I really need this package?
Can I write this code myself?
How many dependencies does it bring?

4. Review Before Installing

# View package details
npm view package-name

# Check bundle size
npx bundlephobia package-name

# Open npm page
npm home package-name

5. Use Trusted Sources

Check download counts
Check last publish date
Check maintainer reputation
Read the source code

Security Tools

Snyk

npm install -g snyk
snyk test
snyk monitor

Socket.dev

npx socket npm info lodash

npm-audit-resolver

npx npm-audit-resolver

Allows you to mark vulnerabilities as reviewed/ignored.

Two-Factor Authentication

Enable 2FA for your npm account:

Go to npmjs.com/settings
Enable 2FA
Use auth app or security key

For publishing:

npm profile enable-2fa auth-and-writes

Reporting Vulnerabilities

Found a vulnerability? Report it:

npm: security@npmjs.com
Package maintainer: Check SECURITY.md
GitHub: Security Advisories

Summary: Security Checklist

Task	Command
Run audit	`npm audit`
Fix issues	`npm audit fix`
Check outdated	`npm outdated`
CI/CD audit	`npm audit --audit-level=high`
Review package	`npm view package-name`

Key Takeaways

Run npm audit regularly
Use lock files for reproducibility
Minimize dependencies when possible
Review packages before installing
Enable 2FA on your npm account
Stay updated on security advisories

Course Complete!

Congratulations! You now understand:

What npm is and how it works
How to manage package.json
Installing and managing dependencies
Semantic versioning
npm scripts
Global vs local packages
Lock files and reproducibility
npm alternatives
Publishing packages
Security best practices

You're ready to use npm effectively in your JavaScript projects!