Skip to content

Instantly share code, notes, and snippets.

@khalidx

khalidx/package-security.md

Last active June 5, 2026 02:25
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save khalidx/c17c757811b3673a9dd8c99f86fce5ea to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save khalidx/c17c757811b3673a9dd8c99f86fce5ea to your computer and use it in GitHub Desktop.
Download ZIP
A thought about the security infrequently downloaded packages.
Raw
package-security.md

TLDR: This post highlights the importance of securing dependencies in the software supply chain.

What protects an organization from this behavior:

  1. A developer joins the organization as employee number 523,001
  2. The developer writes code for the organization on some work project
  3. The developer makes their own OSS package, outside of organization work, and publishes it to npm (or another registry)
  4. The developer installs their own npm package, to use on the organization's work project
  5. The package goes on to live undedected for years at the organization

At some point in the future, this package could be compromised, either intentionally by the now disgruntled developer, or accidentally by someone hacking the developer's machine or package and pushing a new version.

There's no CVE, no npm blacklisting of the package, no crowdsourced scanning and reports of this package since it is infrequently downloaded and has zero or minimal usage outside of the enterprise.

What protects enterprises from this?

Is there some rule somewhere that says:

if (package.monthlyDownloads < 300,000) {
  blockPackage()
}

Probably not. I haven't seen an enterprise with this rule yet. But, even with that rule, there are still countless other risks.

The best you can do is deny packages by default, maintain an allowlist, keep every package on your own internal registry, keep them scanned, and prevent automatic updates of packages.

Even so, most enterprises don't do this either.

Tip

Please, take a moment to secure your SDLC and your software supply chain.

Important

  • Use an internal registry and require approval for adding packages. Evict and block access to compromised packages.
  • Treat packages as immutable, and only use package management and registries that are immutable.
  • Use hash-pinning everywhere, and don't rely on tags that could be compromised.
  • Continuously scan packages (even old ones that have already been scanned) for newly-discovered security vulnerabilities.

The job of security is never done. Even now as I sit here and write this, there are some packages that I haven't scanned in a while or haven't had the time to update to to a newer version. It's best to automate this with tools (like dependabot) that help keep your dependencies scanned and up-to-date by automatically opening pull requests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment