Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Running npm behind a corporate firewall: what do I need to tell the security team?

Tags:

I am trying to run node.js but cannot install any packages as npm is blocked. I have tried the solutions here: How to fill in proxy information in cntlm config file?, and here: NPM behind NTLM proxy and still received errors. I have tripled checked that I have followed the instructions and my ini has the same configuration as the instructions.

My next step is to ask the security team to allow npm access through the firewall, but I cannot see any documentation about this. What do I need to tell the security team?

Note: I am aware of npm Enterprise but I think before I get to that step I need to get established with npm.

like image 242
rlsaj Avatar asked Jan 20 '15 22:01

rlsaj

People also ask

How secure is NPM?

The company claims it found more than 1,300 malicious npm packages in 2021 in npm. That's bad, but 1,300 out of 1.8-million is only 0.007222%. If you were to just randomly grab JavaScript packages for your program, odds are you'll be safe.

Where should I run NPM install?

You should run it in your project root folder, or the folder above your node_modules folder as sometimes the structure can differentiate between projects. But in general: the root folder of your project, as long as it is one folder above your node_modules.

What is a NPM proxy?

Central registry: an npm proxy acts as a central registry for all your required package versions. Private and public together, possibly from multiple upstream sources. Visualization of dependencies: With all required packages in one place it enables identification of a potential issues.

2 Answers

Yeah, in your simplest case all you need to do is one of these

npm config set proxy http://company.com:8000

or

npm config set https-proxy http://company.com:8000

where http://company.com:8000 is your proxy server and port

(note the - dash, not _ underscore)

Also can you test access to http://registry.npmjs.org the npm registry from that machine.

Additionally your package.json also contains dependencies that require the pulling of a git repository code. You may (most likely will) need to configure git to use a proxy as well.

like image 64
Craig Gjerdingen Avatar answered Sep 25 '22 00:09

Craig Gjerdingen

If you come here searching for an iptables rule:

If you want to allow only npm traffic for a certain user, the following might work:

iptables -I OUTPUT 1 -p tcp -m owner --uid-owner <username> -d registry.npmjs.org --dport 443 -j ACCEPT
like image 39
serv-inc Avatar answered Sep 26 '22 00:09

serv-inc
Sign in to Comment

Related questions

Angular UI Grid: How to create a pre-populated dropdown menu for column filtering
Android Studio documentation auto popup issue
Did I find a bug in java.io.PipedInputStream?
How to find the longest path in a graph with a set of start and target points?
How to use Jest with React Native
Apache alias for Laravel and Lumen
Why does this compile under Java 7 but not under Java 8?
On Android M, how to configure the "direct-share" capabilities (image, text), and how to query the items?
Handling Mysql Spatial datatypes in Laravel Eloquent ORM
How to fire periodic actions using setTimeout and dispatcher in redux
SceneKit - Threads - What to do on which thread?
How do you unit test an ASP.NET Core controller or model object?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!