In NPM we trust
About npm install and all its consequences
@naugtur, Meet.js Poznań 08/2016
## NPM is mostly about trust.
You trust the packages are there and do what you expect
## left-pad story
[on The Register](http://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/)
## npm install
- reads package.json or npm-shrinkwrap.json
- downloads packages and put in place
- runs builds and install scripts
Find a definition of remote code execution vulnerability that wouldn't fit running npm install...
## NPM worm
How to make code spread on npm?
Add a postinstall to a popular package with steps:
- look for package.json files
- go into the folders
- add your postinstall there
- run `npm version patch`
- run `npm publish`
- watch it burn
*not my idea btw. published 2 years ago*
## Still, noone did that!
Or at least noone succeeded
Don't know if proud
## Node Security Platform
(+) No known vulnerabilities found
## All in git?
Some teams suggest committing node_modules to git.
That helps with security, but...
- bigger repo
- have to `npm rebuild` anyway
- a bit ugly ;)
## secure dependencies
*never run npm install in production again!*
npm install secure-dependencies --save-dev
`npm run bundle` --> myapp-1.0.0.tgz
## How to deploy
- create bundle
- upload it to artifacts repository
- deploy app
- instead of installing, download and untar based on package.json name and version fields
## Artifacts repository sounds scary
- your company probably has one
- check out Nexus Repository (well known in Java world)
- or just use `scp` with ssh keys to a server (very secure!)
## Production ready?
- It just creates a bundle, if it fails, you get a red CI build
- All you do in production is `untar` - can't get more stable than that
- Extracting is faster than installing
- The bundle is deduplicated
>I'm putting it in production this week and it's been 4 days since I started it
Subscribe to my newsletter http://naugtur.pl/news and get:
- notifications about events I organize before everyone else (think tickets)
- access to learning resources I produce
- no spam, less than 1 email a month on average