Skip to main content

npm Best Practices for the Supply-Chain

By September 1, 2022Blog
openssf npm best practices guide

By Myles Borins (GitHub), Jordan Harband (No affiliation), Jeff Mendoza (Google), Erez Rokah (CloudQuery), Laurent Simon (Google), Liran Tal (Snyk), Randall T. Vasquez (Gentoo)

We are excited to announce the v1 release of the “npm Best Practices,” a new guide focused on dependency management and supply chain security for npm. This release is the result of the OpenSSF Best Practices Working Group. It is a critical step to help JavaScript and TypeScript developers reduce risks as they choose open-source dependencies to use in their projects. 

The ability to use another developer’s project as a dependency has contributed to faster development time, innovation, and a vibrant open-source community. In particular, npm—the package ecosystem that serves JavaScript and TypeScript projects—has grown to include 2.1 million packages, with many JavaScript projects built on tens or even hundreds of dependencies. npm is the largest package ecosystem in existence; in fact, the npm ecosystem is considered larger than most other significant programming language ecosystems combined. 

Using dependencies also incurs risks. A simple dependency update can break a dependent project. Furthermore, like any other piece of software, dependencies can have vulnerabilities or be hijacked, affecting the projects that use them (1,2). Still, the benefits of using dependencies most often outweigh the downsides. Accordingly, using (and maintaining) dependencies with a carefully thought-out and secure strategy is best. However, developing such a strategy can be challenging since they involve a different set of problems than most developers are familiar with solving. Several npm community members and security experts have come together, with the facilitation of the OpenSSF, to produce these guidelines to benefit the npm community.

This new “npm Best Practices” guide is intended to help developers and organizations facing such problems so that they can consume dependencies more confidently. The guide provides an overview of supply chain security features available in npm, describes the risks associated with using dependencies, and lays out best practices to reduce those risks at different project stages. The guidelines cover, for example, how to set up a secure CI configuration, how to avoid dependency confusion, and how to limit the consequences of a hijacked dependency. Developers who follow this guide will proactively harden their npm packages against the most common supply chain attacks. We also hope automated tools like Scorecards and Allstar will adopt these principles.

Please take a look at the guide, follow these practices, share with your friends and colleagues, and suggest improvements. 

There are many other language ecosystems, and we are looking for help to create more guideline documents to support developers using open source securely. If you have feedback on the npm document or would like to contribute to a best practice for another ecosystem, please reach out to us in the package manager best practices repository.

This post represents the views of the authors & does not necessarily reflect those of all OpenSSF members.