vt-c-npm-security¶
npm/pnpm dependency security scanning and vulnerability management. Activates when working with package.json, adding dependencies, or discussing supply chain security.
Plugin: core-standards
Category: Security & Compliance
Command: /vt-c-npm-security
npm Security¶
This skill provides guidance for managing npm/pnpm dependency security in Node.js projects.
When This Skill Activates¶
- Adding new dependencies
- Running security audits
- Updating packages
- Reviewing package.json changes
- Discussing supply chain security
Security Scanning Commands¶
Basic Audit¶
Fix Vulnerabilities¶
# Auto-fix (safe fixes only)
npm audit fix
# Force fix (may include breaking changes)
npm audit fix --force
# See what would be fixed without applying
npm audit fix --dry-run
CI/CD Integration¶
# GitHub Actions
- name: Security audit
run: npm audit --audit-level=high
# Fail build on vulnerabilities
- name: Security audit (strict)
run: |
npm audit --json > audit.json
CRITICAL=$(jq '.metadata.vulnerabilities.critical' audit.json)
HIGH=$(jq '.metadata.vulnerabilities.high' audit.json)
if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ]; then
echo "Critical or high vulnerabilities found!"
exit 1
fi
Before Adding Dependencies¶
Evaluation Checklist¶
Before adding any new package:
-
Check security history
-
Evaluate maintenance
- Last publish date (avoid abandoned packages)
- Number of maintainers
- Open issues vs closed issues ratio
-
TypeScript support
-
Review dependencies
-
Check download stats
- Very low downloads may indicate untested code
- Very new packages are higher risk
Red Flags¶
🚩 Avoid packages that: - Haven't been updated in >2 years - Have many unresolved security issues - Have very few weekly downloads (<1000) - Require excessive permissions - Have obfuscated code - Were recently transferred to new maintainers
Lock File Security¶
Always Commit Lock Files¶
# Ensure lock file is committed
git add package-lock.json # or pnpm-lock.yaml
git commit -m "chore: update lock file"
Verify Lock File Integrity¶
In CI/CD¶
# Use ci command, not install
- run: npm ci
# Verify no lock file changes
- run: |
npm ci
git diff --exit-code package-lock.json
Dependency Update Strategy¶
Regular Updates¶
# Check for outdated packages
npm outdated
# Update within semver ranges
npm update
# Update to latest (may break things)
npx npm-check-updates -u
npm install
Automated Updates¶
Use Dependabot or Renovate:
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
groups:
production-dependencies:
patterns:
- "*"
exclude-patterns:
- "@types/*"
- "eslint*"
- "prettier*"
Supply Chain Security¶
Use Scoped Packages When Possible¶
Pin Exact Versions¶
Enable npm Package Verification¶
# Enable signature verification
npm config set sign-git-tag true
# Use npm provenance
npm publish --provenance
Vulnerability Response¶
When a Vulnerability is Reported¶
-
Assess severity and exploitability
-
Check if you're actually affected
- Is the vulnerable code path used?
-
Is it in prod dependencies or just dev?
-
Apply fix
-
If no fix available
- Consider alternatives
- Implement workaround
- Add to
.nsprcto acknowledge (temporary)
Allowlisting Known Issues¶
// .nsprc (temporary allowlist)
{
"exceptions": [
"https://github.com/advisories/GHSA-xxxx-xxxx-xxxx"
]
}
Scripts Security¶
Review postinstall Scripts¶
# See what scripts will run
npm pack <package> --dry-run
tar -tf <package>.tgz
# Check package.json scripts
Disable Scripts by Default (SPEC-103)¶
The toolkit default is --ignore-scripts for all npm ci and npm install operations.
Post-install scripts from untrusted packages are a supply chain attack vector.
# Default install — scripts disabled
npm ci --ignore-scripts
# Then audit before anything else
npm audit --audit-level=high
# If a trusted package needs post-install scripts, run selectively
npm rebuild <specific-trusted-package>