# bodadotsh/npm-security-best-practices

**Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/bodadotsh-npm-security-best-practices).**

761 stars · 18 forks · mit

## Links

- GitHub: https://github.com/bodadotsh/npm-security-best-practices
- Homepage: https://github.com/bodadotsh/npm-security-best-practices
- awesome-repositories: https://awesome-repositories.com/repository/bodadotsh-npm-security-best-practices.md

## Topics

`awesome` `deno` `javascript` `list` `nodejs` `npm` `pnpm` `security` `yarn`

## Description

This project provides a comprehensive guide for securing the software supply chain within Node.js and npm environments. It focuses on hardening the entire lifecycle of third-party dependencies and package publishing processes to protect applications from malicious code injection and unauthorized registry modifications.

The guide distinguishes itself by emphasizing identity-based authentication and cryptographic provenance to verify the origin of distributed artifacts. It advocates for strict governance policies, such as enforcing minimum release ages for dependencies and disabling automatic lifecycle scripts, to mitigate risks associated with newly published or untrusted code.

The documentation covers a broad range of security practices, including deterministic dependency resolution through lockfiles, granular access control for registry tokens, and automated vulnerability auditing. It also details methods for minimizing the attack surface by restricting published files and overriding transitive dependencies to ensure consistent, predictable builds across development and production environments.

## Tags

### Security & Cryptography

- [Software Supply Chain Security](https://awesome-repositories.com/f/security-cryptography/software-supply-chain-security.md) — Secures the entire lifecycle of third-party dependencies and build processes to protect against malicious code injection.
- [Build Provenance Attestors](https://awesome-repositories.com/f/security-cryptography/cryptographic-hash-verifiers/build-provenance-attestors.md) — Generates cryptographic attestations during package publishing to provide verifiable proof of build origin and integrity.
- [Registry Security](https://awesome-repositories.com/f/security-cryptography/registry-security.md) — Provides guidance for hardening authentication, access control, and artifact provenance in software registries.
- [Dependency Vulnerability Scanners](https://awesome-repositories.com/f/security-cryptography/dependency-vulnerability-scanners.md) — Scans project dependencies for known security flaws and provides automated remediation paths. ([source](https://github.com/bodadotsh/npm-security-best-practices/blob/main/README.md))
- [Identity-Based Authentication](https://awesome-repositories.com/f/security-cryptography/identity-authentication/identity-based-authentication.md) — Implements identity-based authentication to replace long-lived registry tokens with secure, short-lived identity assertions.
- [Installation Policies](https://awesome-repositories.com/f/security-cryptography/infrastructure-policy-enforcement/security-policy-enforcers/repository-security-policies/installation-policies.md) — Restricts package installation by enforcing security policies to prevent unauthorized or malicious code execution. ([source](https://github.com/bodadotsh/npm-security-best-practices/blob/main/pnpm-workspace.yaml))
- [Registry Access Controls](https://awesome-repositories.com/f/security-cryptography/access-restrictions/registry-access-controls.md) — Secures package publishing through granular access tokens and multi-factor authentication. ([source](https://github.com/bodadotsh/npm-security-best-practices#readme))
- [Token Access Restrictions](https://awesome-repositories.com/f/security-cryptography/access-control/panel-access-controls/token-access-restrictions.md) — Generates granular access tokens with limited scopes and expiration to minimize credential compromise risks. ([source](https://github.com/bodadotsh/npm-security-best-practices/tree/main))

### Repository Format

- [Awesome List](https://awesome-repositories.com/f/repository-format/awesome-list.md) — A community-curated directory that catalogs and links out to other open-source projects, rather than a standalone tool you run yourself.

### Development Tools & Productivity

- [Dependency Governance](https://awesome-repositories.com/f/development-tools-productivity/package-dependency-managers/dependency-governance.md) — Standardizes dependency installation and versioning to ensure consistent, predictable, and secure builds.
- [Project Lockfile Management](https://awesome-repositories.com/f/development-tools-productivity/dependency-managers/installation-resolution-utilities/project-lockfile-management.md) — Maintains consistent dependency versions across environments by generating and enforcing project lockfiles.
- [Dependency Lock Managers](https://awesome-repositories.com/f/development-tools-productivity/dependency-lock-managers.md) — Locks dependency versions to specific states to prevent unauthorized changes or malicious code injection. ([source](https://github.com/bodadotsh/npm-security-best-practices/blob/main/deno.json))
- [Package Publishing](https://awesome-repositories.com/f/development-tools-productivity/dependency-managers/artifact-distribution-systems/package-publishing.md) — Implements identity-based authentication and strict file controls for secure package distribution. ([source](https://github.com/bodadotsh/npm-security-best-practices/blob/main/deno.json))
- [Pre-installation Security Auditing](https://awesome-repositories.com/f/development-tools-productivity/dependency-managers/installation-resolution-utilities/dependency-installers/pre-installation-security-auditing.md) — Integrates security checks into the installation workflow to block malicious packages before they enter the project. ([source](https://github.com/bodadotsh/npm-security-best-practices#readme))
- [Installation Script Disablers](https://awesome-repositories.com/f/development-tools-productivity/installation-scripts/installation-script-disablers.md) — Blocks the automatic execution of pre- and post-install scripts to prevent malicious code execution. ([source](https://github.com/bodadotsh/npm-security-best-practices#readme))
- [Installation Integrity Verification](https://awesome-repositories.com/f/development-tools-productivity/package-installers/installation-integrity-verification.md) — Integrates automated vulnerability scanning into the installation workflow to block malicious code before it enters the project.
- [Dependency Lockfiles](https://awesome-repositories.com/f/development-tools-productivity/dependency-lockfiles.md) — Commits dependency lockfiles to version control to ensure identical package installations across all environments. ([source](https://github.com/bodadotsh/npm-security-best-practices/tree/main))
- [Governance Policies](https://awesome-repositories.com/f/development-tools-productivity/dependency-managers/installation-resolution-utilities/dependency-installers/governance-policies.md) — Enforces organizational security constraints like minimum release ages and trust levels during dependency installation.
- [Node.js Development Utilities](https://awesome-repositories.com/f/development-tools-productivity/node-js-development-utilities.md) — Standardizes Node.js dependency management to ensure consistent and secure builds across environments.
- [Dependency Override Managers](https://awesome-repositories.com/f/development-tools-productivity/package-dependency-managers/dependency-override-managers.md) — Manages local overrides for nested dependencies to mitigate risks from broad version ranges and insecure sub-dependency configurations.
- [Installation Cooldown Managers](https://awesome-repositories.com/f/development-tools-productivity/package-installers/installation-cooldown-managers.md) — Enforces a minimum age requirement for new package versions to mitigate risks from newly published malicious releases. ([source](https://github.com/bodadotsh/npm-security-best-practices#readme))
- [Trusted Publishing](https://awesome-repositories.com/f/development-tools-productivity/package-publishing-pipelines/trusted-publishing.md) — Implements identity-based authentication to eliminate long-lived tokens and enable automatic provenance generation. ([source](https://github.com/bodadotsh/npm-security-best-practices/blob/main/README.md))
- [Artifact Filters](https://awesome-repositories.com/f/development-tools-productivity/package-manifests/artifact-filters.md) — Restricts the contents of published packages to essential files to prevent accidental exposure of sensitive data.
- [Publishing Policies](https://awesome-repositories.com/f/development-tools-productivity/package-publishing-pipelines/publishing-policies.md) — Limits the contents of published packages to essential files to prevent accidental exposure of sensitive data. ([source](https://github.com/bodadotsh/npm-security-best-practices/blob/main/README.md))
- [Artifact Filtering](https://awesome-repositories.com/f/development-tools-productivity/package-publishing-pipelines/publishing-policies/artifact-filtering.md) — Restricts the set of files included in a package to minimize the attack surface and prevent accidental data exposure. ([source](https://github.com/bodadotsh/npm-security-best-practices#readme))
- [Version Pinning Tools](https://awesome-repositories.com/f/development-tools-productivity/version-pinning-tools.md) — Enforces exact dependency versions to ensure consistent and predictable builds across environments. ([source](https://github.com/bodadotsh/npm-security-best-practices#readme))
- [Dependency Minimizers](https://awesome-repositories.com/f/development-tools-productivity/package-dependency-managers/dependency-bloat-reducers/dependency-minimizers.md) — Replaces third-party utility libraries with native language features to reduce the overall attack surface. ([source](https://github.com/bodadotsh/npm-security-best-practices/blob/main/README.md))

### DevOps & Infrastructure

- [Lifecycle Script Sandboxes](https://awesome-repositories.com/f/devops-infrastructure/execution-environments/code-execution-runtimes/code-execution-sandboxes/lifecycle-script-sandboxes.md) — Intercepts and disables automated package installation hooks to prevent arbitrary code execution during dependency setup.
- [Package Security](https://awesome-repositories.com/f/devops-infrastructure/package-security.md) — Provides comprehensive configuration settings to harden package manager security and mitigate supply-chain risks. ([source](https://github.com/bodadotsh/npm-security-best-practices/blob/main/default.sh))
- [Version and Compatibility Management](https://awesome-repositories.com/f/devops-infrastructure/dependency-management/version-compatibility-management.md) — Configures package managers to use strict build requirements and consistent version prefixes for reproducible dependency resolution. ([source](https://github.com/bodadotsh/npm-security-best-practices/blob/main/pnpm-workspace.yaml))