This post talks about how using a private npm registry to proxy the public npm registry helps to identify and control the packages you use. And increase the security of your code supply chain.
Want to manage the package dependencies you use for your projects? Reduce your dependency on the public npm registry? Or perhaps enforce security policies? Then read on.
Its a good idea to know of and manage the package you use
Millions of developers use the public npm registry every day and with over 1.5 million packages it is a critical source for open source packages.
But the convenience of packages from the public registry and the development speed all those available open source packages entail, comes with downsides. It gets increasingly hard to keep track of and manage all those dependencies.
To avoid blindly trusting code from external sources, users should take steps to improve the control over dependencies and overall security when using npm. It is a necessity for any organization that wants to manage their code supply chain.
And one of the first things that is usually mentioned for improved npm security is the use of a private npm registry to host your packages.
Control over dependencies — How?
There are multiple ways a private registry enables better dependency management:
- Central hub for all your required package versions: Private and public together, possibly from multiple upstream sources.
- Identification and visualization of dependencies: With all required packages in one place it enables identification of potential issues. Additionally the proxy caches your packages, removing the worry that an essential package version will be unpublished in the future.
- Single package source: With all developers using the same registry that contains the same versions, you can ensure all users build and test consistently. Removing the potential issue of unknowingly using different versions of a dependency.
Improved security — How?
Using a private registry as a proxy enables a layer of separation between your organization and the outside world.
- Security scanning: continuously scan and monitor your dependencies for known vulnerabilities and security issues
- Security policies: with all packages in one place you can enforce the security policies you require.
- License compliance: all dependencies in one place to identify open source licenses and scan for problematic licenses
Interested in npm package security? Read my related post on avoiding dependency confusion.
Control your npm packages & avoid dependency confusion
Andreas Sommarström ・ Feb 19 '21
Setting up and using a private registry is easy
Bytesafe offers hosted private npm registries that by default can be used to proxy the public npm registry.
Allowing for access to public npm packages as well as all the additional benefits that Bytesafe offers to your workflow.
When using Bytesafe, developers configure their npm client to interact with the private registry instead of the (default) public registry. With a configured upstream, any packages not available in the private registry will be fetched from the upstream registry instead (like registry.npmjs.org in this example).
Before new packages are pulled into your registries, they are checked against any active security policies, to make sure they do not violate any rules you have configured.
# Authenticate to Bytesafe using the npm client
$ npm --registry https://example.bytesafe.dev/r/default/ login
Username: bytesafe
Password:
Email(this IS public): you@example.com
Logged in as bytesafe on https://example.bytesafe.dev/r/default/.
# Work with the regular tooling (but direct your requests to private registry)
$ npm --registry https://example.bytesafe.dev/r/default/ publish
...
With the npm client no longer directly linked to the public registry, it results in the following workflow:
Developers - publish/install package versions to/from the Bytesafe private registry — no direct interactions with the public registry. No need to change any behavior or usage patterns.
Private registry - holds all public and private packages and any required dependencies. If a package version is required that is not in the proxy registry it is pulled from upstreams.
Upstreams registries - provides package versions (when required) and is the target for push of packages from private registry. Upstreams can be either a single registry or multiple registries.
Recap
Setting up and using a private npm registry is an easy and effective way to keep your dependencies in check and improve security when using npm.
Without impacting or changing the workflow for developers.
Bytesafe offers hosted, private, reliable and private npm registries. And it's free to use for individual developers (so feel free to signup if you need a
private registry). Manage, collaborate and secure your code supply chain with Bytesafe!
Top comments (0)