openssf.org Open in urlscan Pro
2620:12a:8001::1  Public Scan

Form analysis
1 forms found in the DOM

GET https://openssf.org/

<form role="search" action="https://openssf.org/" method="GET">
  <input type="text" name="s" value="Start Typing..." aria-label="Search" data-placeholder="Start Typing...">
  <span><i>Press enter to begin your search</i></span>
</form>

Text Content

Skip to main content


search
Menu
 * About
   * About OpenSSF
   * Members
   * Governing Board
   * Technical Advisory Council
   * Staff
   * Charter
   * Antitrust Policy
 * Community
   * Alpha-Omega
   * Sigstore
   * Working Groups
   * Town Hall Meetings
   * Code of Conduct
 * Training
   * Secure Software Development Fundamentals Courses
   * Securing Your Software Supply Chain with Sigstore Course
 * Resources
   * Mobilization Plan
   * Guides
   * Reports
   * Swag Store
 * News
 * Blog
 * Get Involved
 * Membership Inquiries
 * Join
 * * 

 * search

Press enter to begin your search
Close Search


NPM BEST PRACTICES FOR THE SUPPLY-CHAIN

By OpenSSFSeptember 1, 2022Blog
No Comments
Share
Share Tweet Share Pin
Love0

By Myles Borins (GitHub), Jordan Harband (No affiliation), Jeff Mendoza
(Google), Erez Rokah (CloudQuery), Laurent Simon (Google), Liran Tal (Snyk),
Randall T. Vasquez (Gentoo)

We are excited to announce the v1 release of the “npm Best Practices,” a new
guide focused on dependency management and supply chain security for npm. This
release is the result of the OpenSSF Best Practices Working Group. It is a
critical step to help JavaScript and TypeScript developers reduce risks as they
choose open-source dependencies to use in their projects. 

The ability to use another developer’s project as a dependency has contributed
to faster development time, innovation, and a vibrant open-source community. In
particular, npm—the package ecosystem that serves JavaScript and TypeScript
projects—has grown to include 2.1 million packages, with many JavaScript
projects built on tens or even hundreds of dependencies. npm is the largest
package ecosystem in existence; in fact, the npm ecosystem is considered larger
than most other significant programming language ecosystems combined. 

Using dependencies also incurs risks. A simple dependency update can break a
dependent project. Furthermore, like any other piece of software, dependencies
can have vulnerabilities or be hijacked, affecting the projects that use them
(1,2). Still, the benefits of using dependencies most often outweigh the
downsides. Accordingly, using (and maintaining) dependencies with a carefully
thought-out and secure strategy is best. However, developing such a strategy can
be challenging since they involve a different set of problems than most
developers are familiar with solving. Several npm community members and security
experts have come together, with the facilitation of the OpenSSF, to produce
these guidelines to benefit the npm community.

This new “npm Best Practices” guide is intended to help developers and
organizations facing such problems so that they can consume dependencies more
confidently. The guide provides an overview of supply chain security features
available in npm, describes the risks associated with using dependencies, and
lays out best practices to reduce those risks at different project stages. The
guidelines cover, for example, how to set up a secure CI configuration, how to
avoid dependency confusion, and how to limit the consequences of a hijacked
dependency. Developers who follow this guide will proactively harden their npm
packages against the most common supply chain attacks. We also hope automated
tools like Scorecards and Allstar will adopt these principles.

Please take a look at the guide, follow these practices, share with your friends
and colleagues, and suggest improvements. 

> We're excited to announce v1 release of the #npm Best Practices – a new guide
> focused on dependency management & supply chain security for @npmjs!
> https://t.co/9sHCZYS2wI #JavaScript #TypeScript #Developers #OpenSSF
> #BestPractices @github @Google @cloudqueryio @snyksec @gentoo
> pic.twitter.com/s2haj0uP1g
> 
> — OpenSSF (@theopenssf) September 1, 2022



There are many other language ecosystems, and we are looking for help to create
more guideline documents to support developers using open source securely. If
you have feedback on the npm document or would like to contribute to a best
practice for another ecosystem, please reach out to us in the package manager
best practices repository.

This post represents the views of the authors & does not necessarily reflect
those of all OpenSSF members.




SUBSCRIBE TO THE OPENSSF MAILING LIST!

GET THE LATEST ANNOUNCEMENTS, EVENT INFO, AND THE COMMUNITY NEWS IN YOUR INBOX.


 * 
 * 
 * 
 * 
 * 

Copyright © 2023 The Linux Foundation® . All rights reserved. The Linux
Foundation has registered trademarks and uses trademarks. For a list of
trademarks of The Linux Foundation, please see our Trademark Usage page. Linux
is a registered trademark of Linus Torvalds. Privacy Policy and Terms of Use.


Close Menu
 * About
   * About OpenSSF
   * Members
   * Governing Board
   * Technical Advisory Council
   * Staff
   * Charter
   * Antitrust Policy
 * Community
   * Alpha-Omega
   * Sigstore
   * Working Groups
   * Town Hall Meetings
   * Code of Conduct
 * Training
   * Secure Software Development Fundamentals Courses
   * Securing Your Software Supply Chain with Sigstore Course
 * Resources
   * Mobilization Plan
   * Guides
   * Reports
   * Swag Store
 * News
 * Blog
 * Get Involved
 * Membership Inquiries
 * Join
 * *