Skip to content
Pricing RU Sign In
RU

How to Audit npm Supply Chain

By · Updated
Key idea:

npm supply chain in 2026 — one of the top-3 attack surfaces. The 2024 xz backdoor + 2023 event-stream + 2024 shai-hulud showed: any of 1000+ transitive deps can be hijacked. Defence: (1) npm audit + Dependabot (basic, free), (2) Socket.dev ($15/mo, runtime behavior analysis), (3) Snyk ($0+), (4) pnpm + strict lockfile, (5) npm package-lock integrity hashing, (6) --ignore-scripts to reject postinstall.

Below: step-by-step, working examples, common pitfalls, FAQ.

Try it now — free →

Step-by-Step Setup

  1. npm audit in CI — fails build on > high severity
  2. Enable Dependabot in GitHub (Settings → Security)
  3. Install Socket GitHub App for PR-level anomaly detection
  4. pnpm or bun instead of npm — deterministic install, shared store
  5. npm config set ignore-scripts true globally + review per-package
  6. Pin exact versions (no ^): "react": "18.2.0" vs "^18.2.0"
  7. Monitor published versions: socket.dev CLI alert on suspicious upgrades

Working Examples

ScenarioConfig
npm audit in CI# .github/workflows/audit.yml - run: npm ci - run: npm audit --audit-level=high # Fails build on found high+ CVE
pnpm strict mode# .npmrc strict-peer-dependencies=true save-exact=true auto-install-peers=false # package.json "packageManager": "pnpm@8.15.0"
Socket.dev CI# Via npm scripts "scripts": { "preinstall": "socket preinstall" } # Blocks install if supply-chain risk detected
Ignore postinstall scripts# Global $ npm config set ignore-scripts true # Per install $ npm install --ignore-scripts # For specific trusted packages — whitelist $ npm rebuild sharp
Lockfile integrity (yarn)# .yarnrc.yml enableGlobalCache: true checksumBehavior: update # Lockfile hashes rejected if corrupted

Common Pitfalls

  • npm audit — only known CVEs, not a new attack. Socket.dev for behavior-based detection
  • Transitive deps errors — parent package has not released a fix. npm overrides in package.json — force resolution
  • Minified code / obfuscated postinstall — hide malicious actions. Ignore-scripts default is safer
  • Dev-only deps still installed in CI if NODE_ENV≠production. npm ci --production or prune
  • shrinkwrap / lock is committed — but if an attacker pushes a lockfile → CI installs malicious exact-version

Related guides

HeadersCSP, HSTS, X-Frame-Options, etc.
SSL/TLSEncryption and certificate
ConfigurationServer settings and leaks
Grade A-FOverall security score

Why teams trust us

OWASP
guidelines
15+
security headers
<2s
result
A–F
security grade

How it works

1

Enter site URL

2

Security headers analyzed

3

Get grade A–F

What Does the Security Analysis Check?

The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.

Header Analysis

Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.

SSL Check

TLS version, certificate expiry, chain of trust, HSTS support.

Leak Detection

Finding exposed server versions, debug modes, open configs, and directories.

Report with Recommendations

Detailed report explaining each issue with specific steps to fix it.

Who uses this

Security teams

HTTP header audit

DevOps

config verification

Developers

CSP & HSTS setup

Auditors

compliance checks

Common Mistakes

Missing Content-Security-PolicyCSP is the primary XSS defense. Without it, script injection is much easier.
Missing HSTS headerWithout HSTS, HTTPS-to-HTTP downgrade attacks are possible. Enable Strict-Transport-Security.
Server header exposes versionServer: Apache/2.4.52 helps attackers find exploits. Hide the version.
X-Frame-Options not setSite can be embedded in iframe for clickjacking. Set DENY or SAMEORIGIN.
Missing X-Content-Type-OptionsWithout nosniff, browsers may misinterpret file types (MIME sniffing).

Best Practices

Start with basic headersMinimum: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. Takes 5 minutes.
Implement CSP graduallyStart with Content-Security-Policy-Report-Only, monitor violations, then enforce.
Hide server headersRemove Server, X-Powered-By, X-AspNet-Version from responses.
Configure Permissions-PolicyRestrict camera, microphone, geolocation access — only what is actually used.
Check after every deploySecurity headers can be overwritten during server configuration updates.

Get more with a free account

Security check history and HTTP security header monitoring.

Sign up free

Related tools

SSL CheckPageSpeedMixed ContentHealth Score

Learn more

How-to

Glossary

Research

Alternatives

Frequently Asked Questions

Dependabot or Renovate?

Dependabot: GitHub-native, simpler. Renovate: more flexible, works on GitLab/Bitbucket, configurable schedules. Solo projects — Dependabot. Teams with complex policies — Renovate.

Is Socket.dev free?

Free tier: 5 repos. $15/dev/mo paid. Analyses package behavior (network calls, file ops, eval usage) — detects novel supply-chain attacks.

xz 2024 incident?

xz-utils CVE-2024-3094 — backdoor via social engineering after a 2-year maintainer takeover. Would have compromised OpenSSH on major Linux distros. Caught by luck.

npm vs pnpm vs bun?

pnpm: content-addressable, fast, deterministic. bun: Rust backend, 10x faster. For audit — pnpm/bun show the actual installed graph more precisely than npm.

Start monitoring for free

Sign up and get access to API, monitoring and notifications

Create Account API Documentation