Script Valley
Web Security Fundamentals for Developers
Secrets Management, Dependencies, and Security in CI/CDLesson 6.3

Supply chain attacks: securing your npm dependencies

supply chain attack mechanics, dependency confusion, typosquatting, npm audit, lockfiles, exact versions, package integrity checks, provenance attestations

npm Supply Chain Security

npm supply chain attack paths diagram

Your application's security depends on every npm package you install. A compromised or malicious package can steal secrets, exfiltrate data, or plant backdoors. Supply chain attacks are rising rapidly.

Typosquatting and Dependency Confusion

Typosquatting: A malicious package named expres or lodahs waits for developers to mistype. Always verify the exact package name and check download counts before installing.

Dependency confusion: An attacker publishes a public package with the same name as your private internal package. npm may fetch the public version. Fix: always scope internal packages with @yourcompany/package-name.

Locking Dependencies

# Always commit package-lock.json — it pins exact versions and hashes
git add package-lock.json

# Install only from the lockfile in CI/CD
npm ci

# Verify package integrity manually
npm install --package-lock-only
npm audit signatures # Verify npm registry signatures (npm v9+)

Automated Dependency Scanning

# Run on every PR in CI
npm audit --audit-level=high

# Tools to integrate:
# - Dependabot (GitHub) — auto PRs for vulnerable deps
# - Snyk — deeper vulnerability database
# - socket.dev — detects malicious packages before install

Review every new dependency's source code before adding it to production. Check: Does it have a GitHub repo? Recent commits? Many contributors? For packages with low download counts and new publication dates, scrutinize carefully.

Up next

Security scanning in CI/CD: SAST, DAST, and secret scanning

Sign in to track progress