Menu
For example, when you do npm init and install express, you end up with a node_modules folder with 20 other folders in it.
I never ran into this issue... but isn't it something that may be a concern?
769
First, it's important to do our homework before installing a package.
Read the package's page on npmjs.com and look at who published the package, the number of versions and the number of weekly downloads. If these numbers are very low, I would pass or definitely inspect the source code.
Another thing to do is to pay attention when you type the package name, when you install. Typo squatting is possible and there are published packages which have names close to popular packages.
In terms of how secure is NPM (the registry), they do periodic penetration testing and outgoing code reviews. Also, they report vulnerabilities to package authors and handle vulnerabilities reports from other users. But, it's a continuous fight against spammers, malware, etc.
Commands you can run:
npm outdated (for locals) and npm outdated -g --depth=0 (for globals)
This will check which packages are outdated and it will list "Current Wanted Latest" versions for each outdated package.
npm audit
This will produce a report of security vulnerabilities with the affected package name, vulnerability severity and description, etc.
Also, npm audit automatically runs when you install a package with npm install.
npm audit fix(https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities) (https://www.youtube.com/watch?v=H48KuESn2sk)
120
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
