Some npm Security Best Practices.

Mar 06, 2019

Security is an important aspect to be taken in account whether it is for guarding any physical assets, electronic assets or our important data. That's why it is important to take npm security in account for developers.

So, there are some practices that we will going to learn about.

Before starting we should know some terms which we will going to use here most oftenly npm registry is the biggest collection of packages that is available for all JavaScript developers and is also the home of the most of the Open Source projects for web developers.

CLI (command-line interface) or command language interpreter is a means of interacting with a computer program where the user issues commands to the program in the form of successive lines of text.

1. Avoid publishing secrets to the npm registry

We are starting with the most classical mistake: people adding their passwords to the npm packages they publish! Our passwords or other secrets can very easily end up leaking into the published packages in npm registry. We have our secrets in some files such as a .env which should be added to a .gitignore to avoid committing it to a SCM.

In order to push a project into the registry, the npm CLI (command line interface)packs up a project into a tarball. The following criteria determine which files to be added to the tarball:

  • If there is either a .gitignore or a .npmignore file, the contents of the file are ignored when preparing for publication.
  • If both ignore files exist, everything not located in .npmignore is published to the registry. but keeping in mind that we should update both the files .

Another good practice to adopt is making use of the files property in package.json, which works as a whitelist.

Add a --dry-run argument to your publish command in order to first review how the tarball is created without actually publishing it to the registry.

2. Enforce the lock-file

We have package.json file and lock-file with us and there should not be any inconsistency between both the files .

Any inconsistency will abort the installation. The command line should read as follows:

  • If you’re using Yarn, run yarn install --frozen-lockfile.
  • If you’re using npm run npm ci.

To solve, reference from the lock-file to be taken.

It is highly recommended to commit the lock-file as it include all the dependencies from both the branches.

3. Assess npm project health

Health is very much important and needs to be checked after certain interval.As maintaining proper health of our body is needed to easily cope up with problems and to keep ouselves fit. Likewise it is needed to care of project health.

Outdated dependencies

We should always review our project for outdated dependencies before upgrading because  staying out of date and not upgrading at all is a source for trouble .

The npm CLI can provide information about the freshness of dependencies you use. By running npm outdated, you can see which packages are out of date:

npm outdated packages

Dependencies in yellow correspond to the semantic versioning as specified in the package.json manifest, and dependencies colored in red mean that there’s an update available. Furthermore, the output also shows the latest version for each dependency.

Call the doctor

To verify a healthy npm installation and working environment,we  should call the doctor. The npm CLI incorporates a health assessment tool to diagnose your environment for a well-working npm interaction. Run npm doctor to review your npm setup.

4. Use a local npm proxy

We have npm registry with us but sometimes we might have different needs in terms of security, deployments or performance. and at that time, npm allows you to switch to a different registry:

If you wish to use a different registry, that too is pretty straightforward:

  1. Set npm set registry to set up a default registry.
  2. Use the argument --registry for one single registry.

Verdaccio is a simple lightweight private registry and installing it is as simple as follows:

$ npm install --global verdaccio
verdaccio local private npm proxy

Verdaccio will give an extra level of security,enabling you:

  • Full control of lightweight private package hosting.
  • To cache packages and avoid being affected by network and external incidents.
  • It’s easy to scale using a different storage provider.
  • Easily spin up verdaccio using docker:

$ docker run verdaccio/verdaccio

It is fairly simple to run:

$ verdaccio --config /path/config --listen 5000

Add the following to package.json:

“publishConfig”: {
  “registry”: "https://localhost:5000"

Your registry is running—ya !! Now, to publish a package just use the npm command npm publish and it is ready for you to share it with the world.

5. Enable 2FA

Two-factor authentication (also known as 2FA) is a type, or subset, of multi-factor authentication. It is a method of confirming user's claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are

The registry supports two modes for enabling 2FA in a user’s account:

  • Authorization-only—when a user logs in to npm via the website or the CLI, or performs other sets of actions such as changing profile information.
  • Authorization and write-mode—profile and log-in actions, as well as write actions

Enable 2FA on npm with):

$ npm profile enable-2fa auth-and-writes

Follow the command line instructions to enable 2FA, and to save emergency authentication codes. If you wish to enable 2FA mode for login and profile changes only, you may replace the auth-and-writes with auth-only in the code as it appears above.

6. Use npm author tokens

Tokens make easy to perform actions.                                                                                     Make use of restricted tokens for querying npm packages and functionalities from Cl by craeting  a read-only and IPv4 address range restricted token:

$ npm token create --read-only --cidr=

To verify which tokens are created for your user or to revoke tokens in cases of emergency, you can use npm token list or npm token revoke respectively.

7.Understand module naming conventions and typosquatting attacks

Naming a module is the first thing you will do when creating a package, but before defining a final name, npm defines some rules that a package name must follow:

  • It is limited to 214 characters
  • It cannot start with dot or underscore
  • No uppercase letters in the name
  • No trailing spaces
  • Only lowercase
  • Some special characters are not allowed: “~\’!()*”)’
  • Can’t start with . or _
  • Can’t use node_modules or favicon.ico due are banned

Typosquatting is an attack that relies on mistakes made by users, such as typos. Typos in package installation can be deadly.

To reduce the risk of such attacks you might do the following:

  • Be mindful when copy-pasting package install instructions to the terminal and verify authenticty.
  • Opt to have a logged-out npm user in your developer environment.
  • Favor npm install with --ignore-scripts.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.