Npm Security Best Practices

Writing Secure Code

This article was originally published on Medium.com.

As we all know, preventing illness is safer and more cost-effective than treating it.

Security vulnerabilities don’t just damage firms reputation; they also lead to serious legal consequences and financial penalties.For example, major U.S. telecom giant AT&T was recently fined $13 million after a breach exposed sensitive customer data. The same principle can be applied to software development. From coding during development to deploying it in the production environment, ensuring code security and hygiene is one of the most critical aspects throughout a software’s entire lifecycle.

It’s not enough for code to just work, it should also be clean, readable, reliable, scalable, and secure

Vulnerable Code and DDoS Attacks

Imagine if a developer doesn’t consider security while coding, for example, by not setting timeouts on long-running HTTP requests. This can leave the system vulnerable to DDoS attacks, potentially degrading performance or even bringing the entire service down. That’s why implementing client-side and server-side timeouts and treating security as an integral part of development is always a best practice.

So, let’s take a closer look at the concept of secure code, and explore how third-party dependencies — especially in modern frameworks like React, Angular, Vue.js, Next.js, and Spring Boot — are deeply intertwined with writing secure software.

Introduction to npm

Npm is the standard package manager for Node.js. It started as a way to download and manage dependencies of Node.js packages, but it has since become a tool used also in frontend JavaScript. Packages.

npm installs, updates and manages downloads of dependencies of your project. Dependencies are pre-built pieces of code, such as libraries and packages, that your Node.js application needs to work.

Installing all dependencies If a project has a package.json file, by running

npm install        

it will install everything the project needs, in the node_modules folder, creating it if it’s not existing already.

Installing a single package

You can also install a specific package by running npm install <package-name>

ex: npm install jest or npm i jest        

The difference between devDependencies and dependencies is that the former contains development tools, like a testing library, while the latter is bundled with the app in production.

Updating packages Updating is also made easy, by running npm update

npm will check all packages for a newer version that satisfies your versioning constraints. You can specify a single package to update as well: npm update <package-name>

Critical npm vulnerabilities

In the npm ecosystem, the most critical vulnerabilities typically fall into the following categories

1- Remote Code Execution (RCE)

Allows attackers to execute arbitrary code on the server or user’s machine.

• Unsafe use of eval(), child_process, or dynamic require()

2- Arbitrary File Write/Overwrite

Attackers can write files anywhere on the host filesystem.

• Insecure use of fs.writeFile without proper path sanitization

3- Path Traversal

Attackers access files outside intended directories (e.g., /etc/passwd).

• Often seen in Express.js file-serving or upload middleware

4- Denial of Service (DoS)

Crashes or stalls the application using resource exhaustion or logic bombs.

• ReDoS (Regular Expression DoS)
• Unbounded JSON parsing
• Poor handling of large payloads

5 -Server-Side Request Forgery (SSRF)

Attackers force server to make requests to internal services (e.g., cloud metadata APIs).

• Unvalidated URLs in HTTP requests made by the server.

6- Hardcoded Secrets / Credentials

• Exposure of API keys, tokens, or database passwords in source or npm packages.
• Cause case : Committing .env files or hardcoding secrets in config files.

7- Insecure Dependencies

• Impact: Malware gets installed via lookalike package names (e.g crossenv instead of cross-env)

As you can see, npm can lead to highly critical vulnerabilities in our codebase, so let’s focus on how we can prevent these security risks.

Preventing Vulnerable Code

• Developers should be trained in writing secure code.
• Code reviewers should focus not only on quality but also on secure code implementation.
• Latest package versions should not be installed without checking them with tools like Snyk.
• All dependencies should be updated regularly for app hygiene.
• Security tools like Snyk and SonarQube should be integrated into the CI/CD pipeline.

Conclusion

Security is an important part of coding that shouldn’t be overlooked. Developing secure coding habits, managing dependencies carefully, and using security tools help protect both you and your projects. Remember, security isn’t just something to think about at the end, it’s a trusted companion throughout the entire development journey.

If you found it useful, feel free to share, it means a lot! And if you have your own insights, I’d love to see them in the comments. Let’s learn from each other.

Thanks for reading! 🙏

Let’s Connect : Substack | LinkedIn