Also, don't use npx.
With the colors incident back in 2022, random stuff started to break not when people updated their dependencies, but immediately, because npx would resolve dependencies when the command is executed.
This means it's not really possible to reason about what code is going to execute, and forensics is going to have a really hard time figuring out what a computer has executed.
If your software uses npx in any capacity, you've auto-failed the SBOM compliance checkbox.
What makes node supply chain attacks so dangerous is the CI/CD pattern whereby all dependencies are downloaded from the internet every time a build is created. NPM attacks move fast.
I previously worked in an environment where our ci servers weren't internet-connected. One of the things we did get get node builds to work was we had 'node_modules' for our projects in a separate repository that got joined with our source code in CI to complete a build. When a developer added a dependency, they had to update this repo from their local version. It was annoying to have to synchronize two repositories, but this ended up being a forcing function for the development team to adopt several of the suggestions listed here. When you see a PR with a massive diff for a small dependency change, eyebrows raise and the team starts conversations about how to improve things.
These tips are great, but they don’t address some of the core ways that these supply chain attacks may happen: global modules and npm modules installed with editor extensions.
So `yarn global add nx` will still install the latest version by default, unless you specifically have a `~/.yarnrc` disallowing lifecycle scripts they will still be executed. Using a package manager that doesn’t allow lifecycle scripts by default is the solution here I guess.
I don’t know what the solution is for stuff like [this](https://github.com/nrwl/nx-console/blob/d2fa56509679fc942bbc...) where the editor plugin automatically uses the latest version, or where in general you have little control over what version is used. Any eslint, typescript, nx, prettier, etc plugin will presumably depend on their corresponding package from npm, and if any of those gets compromised then just installing an editor extension could be enough to get you in trouble.
Somehow it is missing the "read the code of your dependency" step … :)
Even occasionally having a glance (e.g. when reading the docs) might be super helpful in discovering strange things going on.
I appreciate all this guidance. I hope Node developers read it all and consider adopting most/all of it.
Node and the NPM ecosystem has been so productive for me and package.json scripts got me more into shell scripting than I ever thought I would.
All that said, there are some major insecurity deal breakers that frighten me when using Node in public-facing services.
Sneaking in compiled native binary blobs as part of NPM install, transitive dependencies with unpinned versions, the vast wasteland of unmaintained packages in NPM ... Node just needs to be superceded, I feel like.
It would be really great for a newer tech company with deep pockets like Tesla to pull a Sun Microsystems and release a new secure-by-design OS and language stack - maybe in support of a modernized hardware platform offering.
My preference would be for a deeper standard library like the jdk. I would like some sort of digital provenance that runs from the dev environment, through the os and package manager, through to all device types all the way through to the one and only global app store (or an enterprise-hosted proxy.) The whole kit and kaboodle signed and delivered at all levels.
I would like more energy efficient network hosting and service delivery patterns codified.
I would like public developer guilds with certs not as a prereq for employment, but rather to encourage developers to have something to show for their training other than a nebulous college diploma. Senior guildsmen can present their work products for review as an ongoing proof of their craftsmanship.
Plug: I've been building a tool to detect software supply-chain cyberattacks: https://github.com/ossillate-inc/packj
Packj uses static+dynamic code/behavioral analysis to scan for indicators of compromise (e.g., spawning of shell, use of SSH keys, network communication, use of decode+eval, etc). It also checks for several metadata attributes to detect impersonating packages (typo squatting).
Huge props for point 13 which is basically the crux of the matter, and often overlooked.
Personally I would like to see more awareness around the dangers of blindly trusting compiled javascript (and non-human-readable code generally).
I created https://github.com/JamieMason/shrinkpack in 2015 to try and help with this problem, by creating an offline mirror of decompressed tarballs from the npm registry that you'd check into your repository.
I thought it might have some merit at the time, but it never really took off as an idea.
That first recommendation of pinning exact versions of each and every dependency is borderline insane. That's exactly what lockfiles are for. Which are used by default.
One thing I haven't seen talked about at all is the local development setup. I was thinking of putting node/js projects fully into docker containers (and mounting the project directory as a volume for hot reloading). While this doesn't fix the CI attack vector, it should mitigate risk for personal/work machines.
I'd be interested in hearing the setup other people have for their dev envs, also are you using separate browsers for Dev/Internet?
This needs to be solved at the language level by defining whitelist-like contexts. Some sort of
with MyContext(allow_sys_cmds=false, network=false, read_disk=false):
...
> Show HN: Tips to stay safe from NPM supply chain attacks
1. Don't use the damn thing.
2. If it needs an internet connection to compile, uninstall it.
Anyone know how to set this in the repo itself with a yarn config file so it applies to the whole team?
Edit: too long to paste here, but if you ask ChatGPT it will show you how using a yarnrc file.
Someone recommended this to me on another thread and tried it yesterday and it seems very good:
For reducing external dependencies, it would be nice to somehow know every call made to a package, generating the call tree to replace. That becomes the API of the internal, replacement package.
Here is the entire guide you need to protect yourself from supply chain attacks as a software engineer.
Pick whichever of these will consume the fewest resources over time:
1. review an existing library and all dependencies, and all security updates to them forever (or ensure someone capable does or did)
2. implement the minimal functions you require on top of the language standard library yourself
Yes, this is serious advice, and I have followed it while shipping web applications to millions of people at multiple companies, as a consultant for many more companies, and as a founder and security engineer.
Like the projects but not a Show HN, see the guidelines.
I can't lie to you about your chances, but... you have my sympathies.
For what it's worth, I prompted GPT-5 Pro to produce a npm supply chain best practices guide, to see what it comes up with. I've not read it yet.
https://gist.github.com/pschleger/c1c36fbde003bea5eee7ce4291...
And a prompt to review a site I built for GitHub Pages, which I'll try this week.
https://gist.github.com/pschleger/8d5fcea6b96d8504ac58bb2f8d...
For most projects, overriding every single transitive dependencies to be pinned is impractical.
Instead, for those using npm, I'd highly suggest using `npm ci` both locally and of course on CI/CD. This will ensure the (transitive) dependencies pinned in the lockfile are used.
TIL on the `npm install --before="$(date -v -1d)"` trick; thanks for that! Using that to update (transitive) dependencies should be really helpful.
For those using GitHub Actions, I'd also recommend taking advantage of the new dependabot cooldown feature to reduce the likelihood of an incident. Also make sure to pin all GitHub Action dependencies to a sha and enforce that at the GitHub repo/account level.