Software supply chain security involves managing the risks from third-party code you import, such as NPM packages.
The `npm audit` command helps identify known vulnerabilities, like prototype pollution in older versions of packages like Lodash.
Running `npm audit` in CI can lead to frequent build failures from low-risk issues like ReDoS in dev dependencies, causing audit fatigue.
The `npm-audit-resolver` tool provides an interactive way to review, ignore, or postpone vulnerability alerts from `npm audit`.
Malicious NPM packages can execute arbitrary code during installation using lifecycle `postinstall` scripts, even if they are never imported in your code.
A malicious package can modify build tools like the TypeScript compiler during installation, causing it to inject malicious code into your application's final output.
Using the `--ignore-scripts` flag during `npm install` prevents `postinstall` scripts from running, but it can break legitimate packages that require them.
The `can-i-ignore-scripts` tool analyzes your dependencies and checks against a community-maintained list to see which packages require their scripts to run.
A secure installation process involves using a disposable container, running `npm ci --ignore-scripts`, and then selectively re-running only trusted scripts.
The Q&A covers the role of `package-lock.json` for reproducible builds, using Content Security Policy (CSP) as a defense, and strategies for updating dependencies.
Sensory-Minds GmbH
Offenbach am Main, Germany
Hubert Burda Media
München, Germany
44:11Raul Onitza-Klugman & Kirill Efimov
31:13Stefan Baumgartner
28:41Alexander Pirker
36:39Thomas Konrad
27:10Sonya Moisset
26:59Jakub Andrzejewski
42:55Feross Aboukhadijeh
27:41Liran Tal
Jobs that call for the skills explored in this talk.
ThreatFabric B.V.
Amsterdam, Netherlands
Motion Recruitment Partners LLC.