Safeguard
Tag

npm

Safeguard articles tagged "npm" — guides, analysis, and best practices for software supply chain and application security.

119 articles

Concepts

What is a Package Registry Mirror

A package registry mirror is a local copy or caching proxy of a public registry. It keeps builds running when npm is down — and controls what enters your supply chain.

Dec 17, 20246 min read
Concepts

What is Dependency Pinning

Dependency pinning locks every package in your build to an exact, verified version so the code you tested is the code you ship. Here's how to do it per ecosystem.

Oct 8, 20246 min read
Licensing

Node.js License: What Actually Applies to Your App

Node.js itself ships under a permissive MIT-style license, but your app's real license exposure comes from the hundreds of npm packages riding along with it.

Sep 11, 20244 min read
Open Source Security

npm Package Takeover: The Summer 2024 Wave

Between May and June 2024 at least 36 npm packages were hijacked via expired maintainer domains and leaked tokens. We map the cluster.

Jun 20, 20245 min read
Vulnerabilities

CVE-2022-24785: The Moment.js Path Traversal, Explained

A user-controlled locale string was all it took: how CVE-2022-24785 let attackers traverse paths through Moment.js locale loading on Node.js, and why the fix is a one-line upgrade.

May 21, 20245 min read
Supply Chain Security

npm Lifecycle Scripts: The Hidden Attack Surface in Your Node.js Supply Chain

npm lifecycle scripts execute arbitrary code during package installation. This design choice creates one of the largest and least-understood attack surfaces in modern software development.

Mar 20, 20247 min read
Open Source Security

How to Publish an npm Package With Provenance

A step-by-step tutorial for publishing npm packages with provenance attestations so your consumers can cryptographically verify the build source.

Mar 8, 20246 min read
Software Supply Chain Security

Dependency Confusion in Private Registries: The Attack That Keeps Working

Dependency confusion exploits the gap between public and private package registries. Despite widespread awareness, organizations keep falling for it.

Feb 20, 20245 min read
Open Source Security

How to Detect Typosquatting in Package Installs

Build a pre-install guard that catches typosquatted npm, PyPI, and RubyGems dependencies using Levenshtein distance, download-count heuristics, and registry APIs.

Jan 15, 20245 min read
Open Source Security

npm Registry Governance and the Security of node_modules

The npm registry serves billions of downloads per week. Its governance decisions directly impact the security of every Node.js application on the planet.

Jan 8, 20247 min read
Open Source Security

How to Audit npm Postinstall Scripts Safely

Inspect every lifecycle script in your node_modules tree, disable dangerous ones by default, and catch malicious postinstall hooks before they execute.

Nov 22, 20234 min read
Supply Chain Security

Package Registry Mirroring: Security Benefits and Hidden Risks

Mirroring npm, PyPI, or Maven Central locally reduces dependency on external infrastructure. But mirrors introduce their own security considerations that most teams overlook.

Oct 8, 20235 min read
npm (Page 8) — Safeguard Blog