Hello! In previous posts, we talked in detail about choosing dependencies and using lock files in npm , but I only touched on security issues in passing. It's time to fix this issue: this and the next post will be completely devoted to security in npm! And first, we will look at how security is ensured at the level of the npm infrastructure and the ecosystem as a whole.
, , , . , API , , . , ( , ). , - , , , , .
, , . , â .
npm
, , . , npm , .
, : npm , , .
, npm ^Lyft Security ( ) : Lyft npm , pen- . , Lyft Node Security Platform (NSP) [ Node], Node npm-. , 2018- npm Inc. ^Lyft Security, npm.
, npm , , (JavaScript). Node Security Platform npm , .
, 2020 GitHub (Microsoft) npm Inc., npm GitHub. , , GitHub â GitHub Security Lab. , Microsoft GitHub npm registry.
, npm , , npm .
npm . , . , . -, . , , , , TOR ( ).
, , , : , , .
, npm JavaScript, . , , , IP- URL, , . npm , Security Insight API. , .
npm . npm registry, (private) (, CI/CD-), .
, , , npm- GitHub. , npm, , .
, npm GitHub , ; npm , npm, , npm . , , , .
, npm , - (, production), , npm registry .
. , - , . Have I Been Pwned E-mail , . , GMail, 11 , 14 . , !
: , npm, , npm (, ), . , , (, , npm ).
. , npm 24/7, , . JavaScript, npm . npm 25 . .
(malware), npm, . , npm , .
, . npm , , , .
, npm security advisory. ( npm audit), , , . , ( ). , npm 48 , . npm , 45 , , .
npm, , , 20 % . npm 1427 (security advisories). . GitHub.
, , , : npm CLI , . .
npm , , , , .
, , , , . , , .
- , , .