Reply to post: Re: to store packages in git or not that is the question

Worried about occasional npm malware scares? It's more common than you may think

Anonymous Coward
Anonymous Coward

Re: to store packages in git or not that is the question

> to store whole dependency packages in git or not.


Storing package*.json achieves the same thing (absent a serious breach of security of either your package repository of choice or your git repository) and is both easier to manage and easier to spot changes.

For the rest, it's about a multipronged approach, e.g.:

* Minimise external dependencies. You don't need trivial packages or stuff you can do without, for instance a fancy logging library; console.log does the job just as well.

* For those external dependencies that you do need, consider which amongst them are critical ones. This means: you can't easily replace them with something else without major effort. Things like database client libraries fall in this category.

* Consider hosting your own mirror of those critical dependencies and pulling the packages not from the NPM repository (you should avoid NPM altogether if you can) but from your own. If your package does not require building, you can pull directly from Git.

* Companies such as GitLab offer a number of tools to maintain integrity and run automated security audits. Those are a good idea.

* Do inspect packages by hand occasionally. Even a quick egrep -R "https?://" might help uncover foul game.

* Monitor egress traffic and apply usual security precautions.

* Do so consistently. This is the sort of thing which you should document in a manner appropriate to your situation (quality management system record, blog post on your intranet / personal website, a README somewhere in your hard drive, … whatever works for you).

Good question btw!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022