NodeJs: Dependency-based attacks
  • Introduction
  • Dependency-based attacks
  • Javascript weaknesses
  • Types of dependency-based attacks
  • Prevention
  • Bibliography
Powered by GitBook
On this page
  • Lock your dependencies
  • Ignore run-scripts
  • Analyze and keep your project healthy

Was this helpful?

Prevention

There are some preventative actions you can take right now:

PreviousTypes of dependency-based attacksNextBibliography

Last updated 4 years ago

Was this helpful?

Lock your dependencies

Both npm and Yarn provide a mechanism to force the lockfile (package-lock.json and yarn.lock respectively). The lockfile prevent getting automatic updates when deploying (when doing npm/yarn installin your server). This mechanism helps prevent malicious updates from being installed without you realizing it, but it is necessary that you always keep packages updated for possible bug fixes and improvements.

Ignore run-scripts

In sessionit has been shown that most malicious package routines in NPM are started during installation. A few years ago an accident involving the popular package collected several npm tokens through.

Package.json supports the definition of several arbitrary scripts and their preset life cycle events. Life Cycle Scripts are scripts that execute only under certain circumstances, these scripts happen in addtion to the "pre" and "post" script, like preinstall, preuninstall, and postuninstall hooks.

A good practice would be to inspect the package.json of each dependency, however it is not feasible due to the number of packages and because they are always updating. For this reason, a good security practice is to ignore these scripts.

When installing a package, you can chose to opt out of running scripts using the ignore-scripts option in npm or Yarn:

npm install --ignore-scripts
yarn add --ignore-scripts

It is also possible to set globally to always ignore these scripts.

npm config set ignore-scripts true
yarn config set ignore-scripts true

Analyze and keep your project healthy

Whenever you use an ecosystem that uses third-party code you should know its dependencies and ask yourself questions like: "What packages do I use?", "Do I still use these packages?", "Do the packages I use have many users?", "Do my dependencies have any vulnerabilities?", "Are my dependencies up to date?".

When installing a new package, try to get to know it, on the you can get to know the project, know its versions and check the

Package managers like npm and yarn have tools to help keep your package healthy. Running npm outdated or yarn outdated is possible to see if their packages are outdated. Another good feature of this package manager is npm audict and yarn audict, functions that check for known security issues with installed packages.Another good resource to use is tools to notify you when any dependency of yours has a vulnerability like .

As , the most common way to inject malicious packages is through typosquatting, packages created by malicious users who register the package with the very similar name of some well-known package. So one way to prevent it is to know the well to always try to identify this type of attack.

Dependency-based attacks
eslint-scope
Life Cycle Scripts
npm website
Security advisories.
GitHub security alerts
module naming conventions
previously shown