NPM Avoid Public Repositories

ID

avoid_public_repositories_npm

Severity

high

Family

Avoid public repositories

Description

Some organizations may have the policy of using private repositories only, with a carefully curated approach to load dependencies into their private repository from the public repositories.

This detector checks if in the configuration there is a public repository configured. Or only has the private repositories configured.

The public repositories configured to check are:

- https://registry.npmjs.org
- https://replicate.npmjs.com
- https://skimdb.npmjs.com

you can change, to add or remove repositories, in the public-repositories parameter. You can configure private repositories, in the private-repositories parameter.

Security

Organizations have the policy of restricting packages to private inner repositories for security reasons. For example, to avoid download newer package versions or packages that have not been checked by the security team.

Examples

npm config ls -l

...
registry = "https://registry.npmjs.org/"
...

Mitigation / Fix

You can change the registry property with

npm config set registry

command.