Oops! Stories of supply chain shenanigans

Can a dependency you never import inject a vulnerability into your application's final build? This talk demonstrates how.

#1about 4 minutes

Understanding software supply chain security in JavaScript

Software supply chain security involves managing the risks from third-party code you import, such as NPM packages.

#2about 1 minute

Using npm audit to find known package vulnerabilities

The `npm audit` command helps identify known vulnerabilities, like prototype pollution in older versions of packages like Lodash.

#3about 3 minutes

Overcoming the challenges of running npm audit in CI

Running `npm audit` in CI can lead to frequent build failures from low-risk issues like ReDoS in dev dependencies, causing audit fatigue.

#4about 4 minutes

Managing security alerts with the npm-audit-resolver tool

The `npm-audit-resolver` tool provides an interactive way to review, ignore, or postpone vulnerability alerts from `npm audit`.

#5about 6 minutes

How malicious packages use postinstall scripts to attack

Malicious NPM packages can execute arbitrary code during installation using lifecycle `postinstall` scripts, even if they are never imported in your code.

#6about 4 minutes

How a malicious package can compromise build tools

A malicious package can modify build tools like the TypeScript compiler during installation, causing it to inject malicious code into your application's final output.

#7about 3 minutes

Defending against malicious scripts with --ignore-scripts

Using the `--ignore-scripts` flag during `npm install` prevents `postinstall` scripts from running, but it can break legitimate packages that require them.

#8about 3 minutes

Identifying which package scripts are safe to ignore

The `can-i-ignore-scripts` tool analyzes your dependencies and checks against a community-maintained list to see which packages require their scripts to run.

#9about 1 minute

A secure workflow for installing NPM dependencies in CI

A secure installation process involves using a disposable container, running `npm ci --ignore-scripts`, and then selectively re-running only trusted scripts.

#10about 15 minutes

Q&A on package-lock, CSP, and dependency updates

The Q&A covers the role of `package-lock.json` for reproducible builds, using Content Security Policy (CSP) as a defense, and strategies for updating dependencies.