Bảo MậtCommit lockfile, chạy npm audit trong CI, dùng Dependabot/Renovate cho auto-update PRs, Socket.dev để detect suspicious packages (không chỉ known CVEs) — cẩn thận install package mới không review (typosquatting).
Dependency security quản lý supply chain risks — dependencies là attack vector phổ biến (log4shell, event-stream incident, ua-parser-js hijack). npm audit: scan known vulnerabilities trong CVE databases, npm audit --json để parse programmatically; npm audit fix tự fix patch versions, --force cho major versions (cẩn thận breaking changes). Mức severity: critical/high cần fix ngay; moderate/low assess risk trước. Dependabot (GitHub built-in): tự động tạo PRs để update dependencies với changelogs — configure trong .github/dependabot.yml với schedule và allowed update types. Renovate (Mend): alternative mạnh hơn Dependabot, grouping updates, auto-merge với passing CI, monorepo support. Snyk: deeper scanning (không chỉ CVEs), license compliance, container scanning, IaC scanning, IDE plugins. Socket.dev: phân tích behavior của packages (không chỉ known CVEs) — detect typosquatting, suspicious code patterns, permission escalation. Nguyên tắc: lock file (package-lock.json, pnpm-lock.yaml) phải commit — reproducible installs; không run npm install --legacy-peer-deps trong production bừa bãi; review package trước install (bundlephobia size, npm downloads, GitHub activity, last publish); prefer packages ít dependencies (dependency tree nhỏ = attack surface nhỏ). Software Bill of Materials (SBOM): generate list of all dependencies và versions — compliance requirement cho enterprise và government. npm publish với provenance — verify package genuinely published từ specific CI run.
Commit the lockfile, run npm audit in CI, use Dependabot/Renovate for auto-update PRs, and Socket.dev to detect suspicious packages (beyond just known CVEs) — be careful installing new packages without review (typosquatting).
Dependency security manages supply chain risks — third-party dependencies are a common attack vector (log4shell, event-stream incident, ua-parser-js hijack). npm audit: scans known vulnerabilities in CVE databases; npm audit --json for programmatic parsing; npm audit fix auto-fixes patch versions, --force for major versions (beware breaking changes). Severity levels: critical/high — fix immediately; moderate/low — assess risk first. Dependabot (GitHub built-in): automatically creates PRs to update dependencies with changelogs — configure in .github/dependabot.yml with schedule and allowed update types. Renovate (Mend): more powerful alternative to Dependabot — grouping updates, auto-merge with passing CI, monorepo support. Snyk: deeper scanning (beyond just CVEs), license compliance, container scanning, IaC scanning, IDE plugins. Socket.dev: analyzes package behavior (not just known CVEs) — detects typosquatting, suspicious code patterns, permission escalation. Principles: lockfile (package-lock.json, pnpm-lock.yaml) must be committed — reproducible installs; avoid running npm install --legacy-peer-deps carelessly in production; review packages before installing (bundlephobia size, npm downloads, GitHub activity, last publish date); prefer packages with fewer dependencies (smaller dependency tree = smaller attack surface). Software Bill of Materials (SBOM): generate a list of all dependencies and versions — a compliance requirement for enterprise and government. npm publish with provenance — verifies a package was genuinely published from a specific CI run.