Published on

NPM and Dependency Confusion


You may have recently read about the exploits around dependency confusion.

I manage our NPM Repository at work. I was already aware of this particular issue with NPM scopes, and had prepared our development teams to handle this kind of exploit. The policy I implemented can be found below.

  • All internal projects must use a lockfile.
    • All new development will generate a lockfile anyway.
    • Legacy projects should be updated prior to any new feature work.
  • All internal packages must use a scope.
    • Attempts to install/publish packages without a scope should be rejected.
  • All internal project scopes must also be registered on public registries.
    • The easiest way to ensure this is to lock down scope generation.
  • No packages can use internal scopes for open source projects. Different registries should always use different scopes.
    • This is just a good practice with NPM in general, since a package can only use one registry per scope.