Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Running npm behind a corporate firewall: what do I need to tell the security team?

Tags:

I am trying to run node.js but cannot install any packages as npm is blocked. I have tried the solutions here: How to fill in proxy information in cntlm config file?, and here: NPM behind NTLM proxy and still received errors. I have tripled checked that I have followed the instructions and my ini has the same configuration as the instructions.

My next step is to ask the security team to allow npm access through the firewall, but I cannot see any documentation about this. What do I need to tell the security team?

Note: I am aware of npm Enterprise but I think before I get to that step I need to get established with npm.

like image 242
rlsaj Avatar asked Jan 20 '15 22:01

rlsaj


People also ask

How secure is NPM?

The company claims it found more than 1,300 malicious npm packages in 2021 in npm. That's bad, but 1,300 out of 1.8-million is only 0.007222%. If you were to just randomly grab JavaScript packages for your program, odds are you'll be safe.

Where should I run NPM install?

You should run it in your project root folder, or the folder above your node_modules folder as sometimes the structure can differentiate between projects. But in general: the root folder of your project, as long as it is one folder above your node_modules.

What is a NPM proxy?

Central registry: an npm proxy acts as a central registry for all your required package versions. Private and public together, possibly from multiple upstream sources. Visualization of dependencies: With all required packages in one place it enables identification of a potential issues.


2 Answers

Yeah, in your simplest case all you need to do is one of these

npm config set proxy http://company.com:8000

or

npm config set https-proxy http://company.com:8000

where http://company.com:8000 is your proxy server and port

(note the - dash, not _ underscore)

Also can you test access to http://registry.npmjs.org the npm registry from that machine.

Additionally your package.json also contains dependencies that require the pulling of a git repository code. You may (most likely will) need to configure git to use a proxy as well.

like image 64
Craig Gjerdingen Avatar answered Sep 25 '22 00:09

Craig Gjerdingen


If you come here searching for an iptables rule:

If you want to allow only npm traffic for a certain user, the following might work:

iptables -I OUTPUT 1 -p tcp -m owner --uid-owner <username> -d registry.npmjs.org --dport 443 -j ACCEPT
like image 39
serv-inc Avatar answered Sep 26 '22 00:09

serv-inc