Avoid publishing secrets (API keys, passwords or other secrets) to the npm registry.
When updating the
.gitignorefile, also update
The ignore files function as blacklist. Instead, use the
package.json. It works as a whitelist and specifies the array of files to be included in the package (the ignore file functions as a blacklist). They can be used together to determine which files should explicitly be included and excluded from the package. The
package.jsontakes precedence over the ignore file.
Before publishing do a dry run by adding the
--dry-runargument to the publish command to review what will be in the tarball.
Enforce the lockfile (
yarn install --frozen-lockfile,
Reduce attack surface
Do not immediately and blindly upgrade to new versions; wait a while (but not until they are outdated of course).
Before upgrading, review changelog and release notes.
When installing packages, add the
--ignore-scriptssuffix to disable the execution of scripts by third-party packages.
.npmrcproject file or the global npm configuration.
Maintain project health
npm outdatedto see if any packages are out of date.
npm doctorto review the npm setup.
Check that the official npm registry is reachable and displays the currently configured registry.
Check Git is available.
Review installed npm and Node.js versions.
Run permission checks on the local and global
node_modules, and package cache folders.
Check the local npm module cache checksum.
Audit for vulnerabilities in open source dependencies. Scan with
npm audit. See Comparing npm audit with Snyk