NPM Dependency Confusion
ID |
dep_confusion_npm |
Severity |
high |
Family |
Dependency Confusion |
Description
Dependency Confusion in NPM occurs when the project has dependencies that
either they do not exist in the npm repository, or they exist but were created
after they were added to the package.json file.
You may read the original post on this kind of attack.
Security
If the dependency does not exist in the NPM repository, an attacker can create a public package with the same name and introduce the malicious code in your project.
If the dependency exists in the NPM repository but was created after, the attack could have been done already, or you may not have control on the package with the same name published by a third party.
Examples
package.json
"dependencies": {
"my-org-private-package": 1.0.0
}
You should have a scoped dependency instead:
package.json
"dependencies": {
"@myorg/my-org-private-package": 1.0.0
}
Mitigation / Fix
-
Always use an internal 'proxy' private, inner npm registry, and avoid public registries altogether. Ensure that all npm configurations use this registry, and never a public one (there is a
avoid-public-repostories-npmrule to enforce this). -
If you have an internal npm registry for your organization’s packages, but rely on public registries for open-source packages, then you must register your organization with a private scope
@myorgwith NPM. Your organization is then the only party allowed to publish packages under that scope. -
Link your organization scope to the internal npm registry. For example:
npm config set @myorg:registry http://npm-reg.myorg.com
-
Use the scoped private package name in the projects.
|
To create scoped private packages https://docs.npmjs.com/creating-and-publishing-private-packages Or if the package is public you can create a scoped package with this guide https://docs.npmjs.com/creating-and-publishing-scoped-public-packages |