Safeguard
Open Source

The npm figlet Package: A Security Review and Safe Usage Guide

The npm figlet package turns text into ASCII art and is downloaded well over a million times a week. Here is what it does, how to use it, and how to treat even a small utility as part of your supply chain.

Karan Patel
Platform Engineer
5 min read

The npm figlet package is a widely used JavaScript library that turns plain text into ASCII art banners, implementing the classic FIGfont specification for use in Node.js and the browser. If you have ever seen a CLI tool print its name in big blocky letters on startup, there is a good chance figlet produced it. It is a small, focused utility, and it is also a useful case study in why even trivial dependencies deserve a moment of security thought.

What figlet does

figlet takes a string and renders it as ASCII art using FIGfonts, the font format created for the original FIGlet program from the early 1990s. The npm package is a full implementation of the FIGfont spec, written to work both in Node and in browsers, and it is genuinely popular, drawing well over a million downloads a week according to package registries.

Basic usage in Node looks like this:

const figlet = require('figlet');

figlet('Hello World', (err, data) => {
  if (err) {
    console.error('Something went wrong');
    return;
  }
  console.log(data);
});

There is also a synchronous form and font selection:

const banner = figlet.textSync('Deploy', { font: 'Standard' });
console.log(banner);

Typical uses are CLI splash screens, generated README banners, terminal dashboards, and anywhere you want text to look intentionally retro.

Installing it

npm install figlet --save-dev

Note the --save-dev. In most real projects figlet is a developer or build-time nicety, not a production runtime need. Putting it in devDependencies keeps it out of the code path your users actually depend on, which shrinks your production attack surface. If you genuinely render banners at runtime, then dependencies is correct, but decide deliberately rather than defaulting.

Is figlet safe to use?

figlet is a long-lived, popular, actively maintained package, and its function, transforming strings into ASCII art, is low-risk by nature. It does not need network access, it does not touch credentials, and it does not require elevated permissions to do its job. There is no reason to be nervous about figlet specifically.

But "this specific package is fine" is not the same as "I do not need to think about it." The reasons to still apply supply chain hygiene:

  • Transitive reach. Even a small package brings its own font data and any dependencies it declares. You are trusting the whole subtree, not just the top-level name.
  • Account and pipeline risk. Any popular package is an attractive target for account takeover or a compromised release. Popularity is exactly what makes a package worth attacking, because one bad version reaches many installs.
  • Typosquats. Because figlet is well known, look-alike names exist to catch mistyped installs. Confirm you installed figlet, not a near-miss variant.

Safe usage practices

Treat figlet the way you should treat any dependency, no more paranoid and no less:

  1. Pin with a lockfile. Commit package-lock.json and install with npm ci so a compromised patch release cannot silently replace the version you vetted.
  2. Prefer devDependencies unless you truly render ASCII art at runtime.
  3. Audit the tree. Run npm audit and, better, a dedicated scanner across your full dependency graph. An SCA tool will flag a known-bad version of figlet or anything beneath it, including issues you would never spot by eye.
  4. Review before upgrading majors. Read the changelog rather than blindly bumping.
  5. Check install scripts. figlet is not known for risky lifecycle hooks, but the habit of checking whether a package runs code at install time is worth keeping. You can inspect with npm install --ignore-scripts when in doubt.

For the broader why-this-matters, the mechanics of install-time execution are covered in the npm prepare script guide, and the general concept of inherited third-party code in what is a dependency in programming.

A note on version ranges

If you see a caret range like ^1.9.0 in a package.json, that means "compatible with 1.9.0," allowing minor and patch updates but not a new major. The caret is convenient but it also means the exact version you get can drift over time unless a lockfile pins it. This is not figlet-specific; it applies to every dependency, and it is precisely why the committed lockfile does the real work of reproducibility. Ranges expressed with less-than comparisons behave differently, so read them carefully when you audit a manifest.

The takeaway

figlet is a fun, well-built, low-risk package that does exactly one thing and does it well. Use it freely. The point of a security review for something this innocuous is to build the muscle: every dependency, no matter how small, is code you run and code you inherit downstream. Apply the same lockfile-plus-scanning hygiene to figlet that you would to a web framework, and you will not have to make special exceptions for anything.

FAQ

What is the npm figlet package used for?

figlet converts text into ASCII art banners using FIGfonts. It is commonly used for CLI splash screens, terminal dashboards, and generated banners, and it works in both Node.js and the browser.

Should figlet be a dependency or a devDependency?

In most projects it should be a devDependency, because ASCII banners are usually a build-time or developer convenience rather than a production runtime need. Use dependencies only if you render figlet output at runtime.

Is the figlet package safe?

figlet is a popular, actively maintained, low-risk utility that needs no network or credential access to function. It is safe to use, but you should still apply standard supply chain hygiene: pin with a lockfile, scan your tree, and confirm you installed the correctly spelled package.

How do I install figlet?

Run npm install figlet (add --save-dev for a dev dependency). Commit your lockfile and install with npm ci in CI so everyone gets the exact version you reviewed.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.