The npm Best Practices Guide was made available by the Open Source Security Foundation (OpenSSF) to assist JavaScript and TypeScript developers in lowering the security risks connected with using open source dependencies. The manual, produced by the OpenSSF Best Practices Working Group, focuses on npm’s dependency management and supply chain security and addresses a number of topics, including how to set up a secure CI configuration, how to avoid dependency confusion, and how to minimise the effects of a hijacked dependency.
The release coincides with developers sharing and using dependencies more frequently, which can pose problems while also accelerating innovation and development. Contributors to OpenSSF noted in a blog post that while adopting open source dependencies frequently has advantages over disadvantages, there can also be major risks involved.
“A simple dependency update can break a dependent project. Furthermore, like any other piece of software, dependencies can have vulnerabilities or be hijacked, affecting the projects that use them,” they added.
CSO is informed by David A. Wheeler, the Linux Foundation’s director of open source supply chain security: Underestimating the potential impact of vulnerabilities in both direct and indirect dependencies is the biggest security risk associated with developers’ use of open source dependencies. However, creating a strategy for dependency security that works can be difficult since it entails a unique set of issues that most developers aren’t used to dealing with, according to the blog.
The npm Best Practices manual is intended to help developers and organisations dealing with such issues so they may more securely and confidently consume dependencies. It gives an overview of the supply chain security options offered by npm, discusses the dangers of using dependencies, and offers suggestions for risk mitigation at various project phases. The majority of the manual is devoted to dependency management, outlining actions developers can take to lessen potential risks. For instance, the book advises that the first step in employing a dependence is to research its provenance, credibility, and security posture.
It urges developers to be on the lookout for typo-squatting attacks, which occur when an attacker generates a package name that appears official to fool users into installing malicious packages, by locating the package’s GitHub repository and evaluating its credibility (number of contributors, stars, etc.). Developers should find the package name for a GitHub project of interest after which they can use OpenSSF Security Scorecards to find out about the dependency’s current security posture.
According to the book, developers should also use npm-audit to find out about current vulnerabilities in the project’s dependencies and deps.dev to learn about the security posture of transitive dependencies. According to the manual, reproducible installation can make guarantee that precise copies of dependencies are utilised each time a package is installed, enhancing security. These include speedy detection of potential network intrusions in the event that a reliance has flaws, threat mitigation against dangers like malicious dependencies, and package corruption detection.
The guide also recommended utilising a lockfile, which employs cryptographic hashes to implement hash pinning. Continuous dependency maintenance is crucial, with regular updates in conjunction with the disclosure and patching of new vulnerabilities being essential. The document offers security advice for both public and private packages obtained via internal registries.
