Part of the reason why Node.js is so appealing is that it allows for easy application extensibility; you focus on your core competencies, and if you need additional features or functionality, you can include them by adding dependencies.

There are multiple downsides to the modularity of Node.js and the use of external dependencies, but with careful consideration, you can minimize the downsides from an application security perspective.

Many of the packages available to you in the npm registry are safe to use, but it goes without saying that this is not 100% true — dependencies that are safe today may not be safe tomorrow. Furthermore, dependencies that are created and maintained by a single author can be problematic, and dependencies that further rely on dependencies can result in what’s called the Node Module Hole.

In this article, we’ll take a look at what you need to keep in mind from an application security perspective when choosing and managing your npm dependencies, as well as tips and tricks you can employ to make this process easier and more manageable.

Choose your dependencies carefully

When choosing your dependency, take some time to make sure that the package isn’t suspicious or problematic. The npm repository offers package rating metrics and other social cues, such as ratings and popularity, that can signify whether a package is good or not.

There are other cues, too. What’s the maintenance history of the package? How many releases have there been? Has the creator maintained a regular schedule of fixes and upgrades, or has it been a while since anyone has done work on the package?

You should also be on the lookout for changes in ownership over the package; many a time, a creator has handed over the reins to a package, and the new owner(s) introduce malicious code into a once-trusted package.

Know what you’ve used (and what your dependencies use)

The tip of the iceberg is knowing which dependencies you’ve used (and hopefully why), but the modular nature of Node.js means that your dependencies are most likely relying on dependencies, too.

It’s easy to keep tabs on the dependencies you’ve opted for, but it’s important that you keep tabs on the dependencies on which your dependencies rely.

#nodejs #security #best-practices #npm

Tips for Managing NPM Dependencies
10.00 GEEK