In NPM we trust

About npm install and all its consequences

@naugtur, Meet.js PoznaƄ 08/2016

## NPM is mostly about trust. You trust the packages are there and do what you expect
## left-pad story [on The Register](http://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/)
## npm install - reads package.json or npm-shrinkwrap.json - downloads packages and put in place - runs builds and install scripts https://docs.npmjs.com/misc/scripts
Find a definition of remote code execution vulnerability that wouldn't fit running npm install...
## NPM worm How to make code spread on npm? Add a postinstall to a popular package with steps: - look for package.json files - go into the folders - add your postinstall there - run `npm version patch` - run `npm publish` - watch it burn *not my idea btw. published 2 years ago*
## Still, noone did that! Or at least noone succeeded

Don't know if proud

or scared

## Node Security Platform [https://nodesecurity.io/](https://nodesecurity.io/) ``` nsp check (+) No known vulnerabilities found ```
## All in git? Some teams suggest committing node_modules to git. That helps with security, but... - bigger repo - have to `npm rebuild` anyway - a bit ugly ;)
## Artifacts bundling!
## secure dependencies *never run npm install in production again!* [https://github.com/naugtur/secure-dependencies](https://github.com/naugtur/secure-dependencies) ``` npm install secure-dependencies --save-dev ``` ```js "scripts": { "bundle": "secure-dependencies" }, ``` `npm run bundle` --> myapp-1.0.0.tgz
## How to deploy - create bundle - upload it to artifacts repository - deploy app - instead of installing, download and untar based on package.json name and version fields
## Artifacts repository sounds scary - your company probably has one - check out Nexus Repository (well known in Java world) - or just use `scp` with ssh keys to a server (very secure!)
## Production ready? - It just creates a bundle, if it fails, you get a red CI build - All you do in production is `untar` - can't get more stable than that - Extracting is faster than installing - The bundle is deduplicated >I'm putting it in production this week and it's been 4 days since I started it

Play safe!

@naugtur
http://naugtur.pl

Subscribe to my newsletter http://naugtur.pl/news and get:

  • notifications about events I organize before everyone else (think tickets)
  • access to learning resources I produce
  • no spam, less than 1 email a month on average