Security of npm projects, part 1

Security of npm projects, part 1



Hello! In the last post, we started looking at the important issue of security in npm and talked about what measures the company uses to identify and prevent threats. This time I want to talk about the tools and approaches that are available to you personally, and which I highly recommend that all developers implement in their practice.



Installation scripts



npm install (: preinstall, install/postinstall), . , . , , .



, :



An example of a package containing a malicious script



: npm install malicious-package, evil.sh, unix-.



, , 2018 eslint-scope eslint-config-eslint, , .



, , , , , .



, npm npm, . , npm registry , , , , npm .



, , , , . , , .

, npm , npm , . .



, :



npm install suspicious-package --ignore-scripts


, ( .npmrc):



npm config set ignore-scripts true


, . , .





Runtime limitation



, , npm, npm install. , Docker-, . , npm root-; , . . : npm, .



: - , . , . npm.





Security of tokens and keys



: , . , npm .npmrc , .



npm - (, CI/CD), . , , read-only, . .



npm IP- (CIDR). IP ( IP) . , , (on-demand). , , .



.npmrc, (Git). NPM_TOKEN ( ).



npm token create, :



  • --read-only — , (. . , );
  • --cidr=<CIDR> — , IP. CIDR, IP. : --cidr=192.0.2.0/24.


, npm-, . npm, npm token list.



, npm adduser .npmrc . .



~/.npmrc :



//registry.npmjs.org/:_authToken=00000000-0000-0000-0000-000000000000


npm registry, .



, ~/.npmrc unix-!

(, SSH), , . , . . , . SSH, EdDSA . , . : Ed25519 (EdDSA) RSA ( 2048 ) .





Eyeballs



, , . . , , npm install packae-name: 404, — .



npm , . , , , copy-and-paste.





Secure passwords



, , :



  • , . (16 );
  • . ;
  • ;
  • , .


: . KeePass ( ). -, . -, , , . (., Google Drive DropBox), .



, , !


(MFA)



Multifactor Authentication (MFA)



, . . : - , . - SMS- . , . . .



, npm -. : « » « ». « », . . , npm OTP npm adduser, - (, npm publish).



, npm 2FA, . : , QR-, -. , CLI :



  • npm profile enable-2fa auth-and-writes

    — « » ()
  • npm profile enable-2fa auth-only

    — « »


CLI npm ( ), QR-. (OTP), , .



npm , , , .



, , 2FA npm profile disable-2fa, . , , npm (, ).





Limiting published files



, npm publish, npm .



, npm
  • .git
  • CVS
  • .svn
  • .hg
  • .lock-wscript
  • .wafpickle-N
  • .*.swp
  • .DS_Store
  • ._*
  • npm-debug.log
  • .npmrc
  • node_modules
  • config.gypi
  • *.orig
  • package-lock.json


- registry , , , . . npm - , , .



, files package.json. , ( glob), . , - .



, , files:



  • package.json
  • README
  • CHANGES, CHANGELOG, HISTORY
  • LICENSE, LICENCE
  • NOTICE
  • , main


README, CHANGES, LICENSE NOTICE .



, .



, npm publish, --dry-run npm pack --dry-run. , , . --dry-run , , , .





, , npm-. — .



, .






, , , , . , .



- , , .



.




All Articles