By Myles Borins (GitHub), Jordan Harband (No affiliation), Jeff Mendoza (Google), Erez Rokah (CloudQuery), Laurent Simon (Google), Liran Tal (Snyk), Randall T. Vasquez (Gentoo)
Using dependencies also incurs risks. A simple dependency update can break a dependent project. Furthermore, like any other piece of software, dependencies can have vulnerabilities or be hijacked, affecting the projects that use them (1,2). Still, the benefits of using dependencies most often outweigh the downsides. Accordingly, using (and maintaining) dependencies with a carefully thought-out and secure strategy is best. However, developing such a strategy can be challenging since they involve a different set of problems than most developers are familiar with solving. Several npm community members and security experts have come together, with the facilitation of the OpenSSF, to produce these guidelines to benefit the npm community.
This new “npm Best Practices” guide is intended to help developers and organizations facing such problems so that they can consume dependencies more confidently. The guide provides an overview of supply chain security features available in npm, describes the risks associated with using dependencies, and lays out best practices to reduce those risks at different project stages. The guidelines cover, for example, how to set up a secure CI configuration, how to avoid dependency confusion, and how to limit the consequences of a hijacked dependency. Developers who follow this guide will proactively harden their npm packages against the most common supply chain attacks. We also hope automated tools like Scorecards and Allstar will adopt these principles.
Please take a look at the guide, follow these practices, share with your friends and colleagues, and suggest improvements.
— OpenSSF (@theopenssf) September 1, 2022
There are many other language ecosystems, and we are looking for help to create more guideline documents to support developers using open source securely. If you have feedback on the npm document or would like to contribute to a best practice for another ecosystem, please reach out to us in the package manager best practices repository.