When discussing a recent malware attack using a popular NPM package (and after removing this package from our code base), I started to research on ways to restrict npm install
commands. So far I have not found any way to restrict what a developer can install.
There are two reasons why this would benefit everyone:
Regarding #1, the idea is that each team could create an approved list of package names that could be checked against before npm install
actually runs - essentially creating some type of review process for npm packages.
Regarding #2, our team was actually impacted by having this package removed on NPM - but the only reason we ever had this dependency is because a package was installed by accident and went unnoticed for a while. Here's what I think happened:
npm install --save somepackagehere
(notice the dash dash)npm install save
(no dash dash), thus installing the save npm package which has a dependency on event-stream, which had a dependency on flatmap-stream.Node Version: 9.9.1
NPM Version: 6.4.1
QUESTION
Is there an existing way to achieve what I've described above that is not dependent on a manual code-review?
Some situations require more security and as talked about in this article (in point 6. Use a local npm proxy) you can create your own npm registry and only pull allowed packages and versions from there.
In most cases I do believe it is unnecessary however if your situation calls for this edge case it is possible.