Back to Details

dependency-supply-chain-security

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Dependency & Supply Chain Security

依赖与供应链安全

The Dependency Risk

依赖风险

Your application includes hundreds of npm packages. Each one is code written by someone else that runs in your application with full privileges.
你的应用包含数百个npm包,每个包都是第三方编写的代码,会以完全权限在你的应用中运行。

The Statistics Are Sobering

相关统计数据值得警惕

According to Sonatype's 2024 State of the Software Supply Chain Report:
  • 245,000 malicious packages published to npm (2023)
  • 700% increase in supply chain attacks (vs 2022)
  • Average application has 200+ dependencies
  • Each dependency averages 5 transitive dependencies (dependencies of dependencies)
根据Sonatype 2024年软件供应链现状报告:
  • 2023年npm平台共发布24.5万个恶意包
  • 供应链攻击数量较2022年增长700%
  • 平均每个应用有200+个直接依赖
  • 每个直接依赖平均有5个传递性依赖(即依赖的依赖)

Real-World Supply Chain Attacks

真实供应链攻击案例

event-stream Incident (2018): A popular npm package (2 million downloads/week) was hijacked. The attacker added code that stole cryptocurrency wallet keys. Thousands of applications were affected before discovery.
ua-parser-js Incident (2021): Package with 8 million weekly downloads was compromised. Attackers added cryptocurrency mining and password-stealing code.
colors.js / faker.js Incident (2022): Maintainer intentionally corrupted packages in protest. Millions of applications broke. Demonstrated single-point-of-failure risk.
event-stream事件(2018年): 这款周下载量200万的热门npm包被劫持,攻击者添加了窃取加密货币钱包密钥的代码,在被发现前已有数千个应用受到影响
ua-parser-js事件(2021年): 这款周下载量800万的包被入侵,攻击者添加了加密货币挖矿和密码窃取代码。
colors.js / faker.js事件(2022年): 维护者为抗议故意破坏包代码,导致数百万个应用崩溃,暴露了单点故障风险。

Our Dependency Security Architecture

我们的依赖安全架构

Current Status

当前状态

  • ✅ All dependencies up-to-date
  • ✅ Next.js 15.5.4 (latest stable)
  • ✅ 0 known vulnerabilities (npm audit)
  • ✅ Package-lock.json committed (reproducible builds)
  • ✅ 所有依赖均为最新版本
  • ✅ 使用Next.js 15.5.4(最新稳定版)
  • ✅ 0已知漏洞(npm audit检测结果)
  • ✅ 已提交Package-lock.json(支持可复现构建)

Why Next.js 15.5.4 Specifically

为何特意使用Next.js 15.5.4

We updated from 15.3.5 to 15.5.4 to fix three security vulnerabilities:
  • Cache Key Confusion (moderate)
  • Content Injection (moderate)
  • SSRF via Middleware Redirects (moderate)
Keeping frameworks updated is critical. According to Snyk's research, 80% of vulnerabilities have patches available within days, but average time to patch is 148 days.
我们从15.3.5升级到15.5.4是为了修复3个安全漏洞
  • 缓存键混淆(中危)
  • 内容注入(中危)
  • 中间件重定向导致的SSRF(中危)
保持框架更新至关重要。 根据Snyk的研究,80%的漏洞会在几天内推出补丁,但企业平均修复时间长达148天

Implementation Files

实现文件

  • scripts/security-check.sh
    - Runs npm audit + shows outdated packages
  • package-lock.json
    - Locks exact versions (supply chain consistency)
  • scripts/security-check.sh
    - 运行npm audit并展示过期包
  • package-lock.json
    - 锁定精确版本(保障供应链一致性)

Running Security Audits

运行安全审计

Basic Audit

基础审计

bash
undefined
bash
undefined

Check for vulnerabilities

检查漏洞

npm audit
npm audit

Output shows:

输出会展示:

- Severity (critical, high, moderate, low)

- 严重等级(Critical、High、Moderate、Low)

- Vulnerability description

- 漏洞描述

- Affected package

- 受影响的包

- Recommended fix

- 推荐修复方案

undefined
undefined

Production-Only Audit

仅生产环境审计

bash
undefined
bash
undefined

Only check production dependencies (ignores devDependencies)

仅检查生产依赖(忽略devDependencies)

npm audit --production

**Use this before every production deploy.** Must show: **0 vulnerabilities**
npm audit --production

**每次生产环境部署前必须运行本命令,输出必须显示:0 vulnerabilities**

Automated Security Check Script

自动化安全检查脚本

bash
undefined
bash
undefined

Run our comprehensive security check

运行我们的综合安全检查

bash scripts/security-check.sh

**What it does:**
1. Runs `npm audit` (shows vulnerabilities)
2. Runs `npm outdated` (shows outdated packages)
3. Provides fix commands

**Expected output:**
=== Security Audit === found 0 vulnerabilities
=== Outdated Packages === Package Current Wanted Latest Location next 15.5.4 15.5.4 15.5.4 node_modules/next
✓ All packages up to date!
undefined
bash scripts/security-check.sh

**脚本功能:**
1. 运行`npm audit`(展示漏洞)
2. 运行`npm outdated`(展示过期包)
3. 提供修复命令

**预期输出:**
=== Security Audit === found 0 vulnerabilities
=== Outdated Packages === Package Current Wanted Latest Location next 15.5.4 15.5.4 15.5.4 node_modules/next
✓ All packages up to date!
undefined

Fixing Vulnerabilities

漏洞修复

Automatic Fixes (Safe)

自动修复(安全)

bash
undefined
bash
undefined

Fix vulnerabilities with patch/minor version updates

通过补丁/次版本更新修复漏洞

npm audit fix

**What it does:**
- Updates to latest patch version (e.g., 1.2.3 → 1.2.4)
- Updates to latest minor version (e.g., 1.2.3 → 1.3.0)
- **Safe:** No breaking changes
npm audit fix

**功能说明:**
- 更新到最新补丁版本(例如1.2.3 → 1.2.4)
- 更新到最新次版本(例如1.2.3 → 1.3.0)
- **安全:不会引入破坏性变更**

Force Fixes (Risky)

强制修复(高风险)

bash
undefined
bash
undefined

Fix vulnerabilities with major version updates

通过主版本更新修复漏洞

npm audit fix --force

⚠️ **WARNING:** This can introduce breaking changes!

**What it does:**
- Updates to latest major version (e.g., 1.2.3 → 2.0.0)
- **May break your code** if API changed

**After running --force:**
1. Check what changed: `git diff package.json package-lock.json`
2. Read migration guides for updated packages
3. Run tests: `npm test`
4. Test app manually
5. Commit only if everything works
npm audit fix --force

⚠️ **警告:这可能引入破坏性变更!**

**功能说明:**
- 更新到最新主版本(例如1.2.3 → 2.0.0)
- 如果API发生变化**可能导致代码崩溃**

**运行--force后必须:**
1. 检查变更:`git diff package.json package-lock.json`
2. 阅读更新包的迁移指南
3. 运行测试:`npm test`
4. 手动测试应用功能
5. 确认所有功能正常后再提交代码

Manual Updates

手动更新

bash
undefined
bash
undefined

Update specific package

更新指定包

npm update package-name
npm update package-name

Update to specific version

更新到指定版本

npm install package-name@1.2.3
npm install package-name@1.2.3

Update all packages to latest (respecting semver)

按语义化版本规则更新所有包到最新版本

npm update
undefined
npm update
undefined

Dependency Update Strategy

依赖更新策略

Monthly Routine (30 minutes)

月度例行更新(30分钟)

bash
undefined
bash
undefined

1. Check for outdated packages

1. 检查过期包

npm outdated
npm outdated

2. Review what's outdated and why

2. 审核过期包信息及更新原因

Check changelogs for major updates

查阅大版本更新的变更日志

3. Update safe packages (patch/minor)

3. 更新安全的包(补丁/次版本)

npm update
npm update

4. Run audit

4. 运行漏洞审计

npm audit
npm audit

5. Fix vulnerabilities

5. 修复漏洞

npm audit fix
npm audit fix

6. Test everything

6. 测试所有功能

npm test npm run build
npm test npm run build

7. Commit if successful

7. 运行成功后提交代码

git add package.json package-lock.json git commit -m "chore: update dependencies"
undefined
git add package.json package-lock.json git commit -m "chore: update dependencies"
undefined

Before Every Production Deploy

每次生产部署前

bash
undefined
bash
undefined

Must show 0 vulnerabilities

必须输出0漏洞

npm audit --production

**If vulnerabilities found:**
1. Run `npm audit fix`
2. Test thoroughly
3. If fix causes issues, investigate package alternatives
4. **Never deploy with known vulnerabilities**
npm audit --production

**如果发现漏洞:**
1. 运行`npm audit fix`
2. 全面测试
3. 如果修复导致问题,调研替代包
4. **绝对不要带着已知漏洞部署**

Major Framework Updates (Quarterly)

框架大版本更新(季度)

When Next.js releases major update (e.g., 15.x → 16.x):
bash
undefined
当Next.js发布大版本更新时(例如15.x → 16.x):
bash
undefined

1. Read upgrade guide

1. 阅读升级指南

https://nextjs.org/docs/upgrading

https://nextjs.org/docs/upgrading

2. Create new branch

2. 创建新分支

git checkout -b upgrade-nextjs-16
git checkout -b upgrade-nextjs-16

3. Update Next.js

3. 更新Next.js

npm install next@latest react@latest react-dom@latest
npm install next@latest react@latest react-dom@latest

4. Follow migration guide

4. 遵循迁移指南操作

Update deprecated APIs

更新废弃API

Test all features

测试所有功能

5. Run full test suite

5. 运行完整测试套件

npm test npm run build npm run lint
npm test npm run build npm run lint

6. Test locally

6. 本地测试

npm run dev
npm run dev

Click through all features

点击测试所有功能点

7. Deploy to staging first

7. 先部署到预发环境

Test in production-like environment

在类生产环境测试

8. If successful, deploy to production

8. 测试通过后部署到生产环境

undefined
undefined

Preventing Supply Chain Attacks

防范供应链攻击

1. Package-lock.json (Always Commit)

1. 始终提交Package-lock.json

bash
undefined
bash
undefined

Package-lock.json ensures:

Package-lock.json保障:

- Exact versions installed

- 安装精确版本的包

- Reproducible builds

- 可复现构建

- Detect tampering

- 可检测篡改


✅ **DO commit package-lock.json to git**

❌ **DON'T add package-lock.json to .gitignore**

✅ **必须将package-lock.json提交到git**

❌ **不要将package-lock.json加入.gitignore**

2. Verify Package Integrity

2. 验证包完整性

bash
undefined
bash
undefined

npm automatically verifies package integrity using

npm会自动使用package-lock.json中的校验和

checksums from package-lock.json

验证包的完整性

If integrity check fails:

如果完整性校验失败,会输出:

Error: integrity checksum failed

Error: integrity checksum failed


**This protects against:**
- Tampered packages on npm registry
- Man-in-the-middle attacks during download
- Corrupted packages

**可防范:**
- npm registry上被篡改的包
- 下载过程中的中间人攻击
- 损坏的包

3. Audit New Packages Before Installing

3. 安装新包前先审计

Before adding a new package:
  1. Check npm page: https://www.npmjs.com/package/PACKAGE_NAME
    • Weekly downloads (popular = more vetted)
    • Last update date (recently maintained?)
    • Number of dependents (widely used?)
    • GitHub stars/issues
  2. Check for typosquatting:
    • react
      ✅ (correct)
    • raect
      ❌ (typo package - could be malicious)
    • reacct
      ❌ (typo package - could be malicious)
  3. Check package maintainers:
    • Look for verified maintainers
    • Check GitHub profile
    • Multiple maintainers = better
  4. Check GitHub:
    • Stars (popularity indicator)
    • Open issues (maintained?)
    • Recent commits
    • Code quality
  5. Run audit after installing:
    bash
    npm install new-package
npm audit
添加新包前必须:
  1. 检查npm页面: https://www.npmjs.com/package/PACKAGE_NAME
    • 周下载量(下载量越高说明经过更多验证)
    • 最近更新日期(是否仍在维护?)
    • 依赖方数量(是否被广泛使用?)
    • GitHub星数/Issue情况
  2. 检查是否是抢注恶意包:
    • react
      ✅(正确)
    • raect
      ❌(拼写错误的包,可能是恶意包)
    • reacct
      ❌(拼写错误的包,可能是恶意包)
  3. 检查包维护者:
    • 优先选择经过验证的维护者
    • 检查维护者的GitHub资料
    • 多个维护者更安全
  4. 检查GitHub仓库:
    • 星数(流行度指标)
    • 开放Issue数量(是否仍在维护?)
    • 最近提交记录
    • 代码质量
  5. 安装后运行审计:
    bash
    npm install new-package
npm audit

4. Use npm ci for Clean Installs

4. 在CI/CD中使用npm ci进行干净安装

bash
undefined
bash
undefined

In CI/CD pipelines, use:

在CI/CD流水线中使用:

npm ci
npm ci

Instead of:

而不是:

npm install

**Why `npm ci`:**
- Installs from package-lock.json exactly
- Fails if package.json and package-lock.json are out of sync
- Removes node_modules before installing
- Faster and more reliable for CI/CD
npm install

**使用`npm ci`的原因:**
- 完全按照package-lock.json的版本安装
- 如果package.json和package-lock.json不同步会直接失败
- 安装前会删除node_modules
- 对CI/CD来说更快更可靠

5. Avoid Dangerous Packages

5. 避免使用危险包

Never install packages that:
  • Have very low download counts (< 100/week)
  • Were just published (wait a few weeks)
  • Have suspicious names (typosquatting)
  • Request unusual permissions
  • Have no source code visible
Examples of dangerous packages (real incidents):
  • crossenv
    (typo of 
    cross-env
    - was malicious)
  • babelcli
    (typo of 
    babel-cli
    - was malicious)
  • mongose
    (typo of 
    mongoose
    - was malicious)
绝对不要安装符合以下特征的包:
  • 下载量极低(周下载量<100)
  • 刚发布不久(建议等待几周再使用)
  • 名称可疑(拼写抢注)
  • 要求异常权限
  • 没有公开源代码
危险包真实案例:
  • crossenv
    cross-env
    的拼写错误包,为恶意包)
  • babelcli
    babel-cli
    的拼写错误包,为恶意包)
  • mongose
    mongoose
    的拼写错误包,为恶意包)

Dependency Confusion Attacks

依赖混淆攻击

What It Is

攻击原理

Attacker publishes malicious package with same name as your internal package. npm might install malicious one instead.
攻击者发布和你内部包同名的恶意包,npm可能会优先安装恶意版本。

Real Example

真实案例

bash
undefined
bash
undefined

Internal package (not on npm)

内部包(未发布到npm公共库)

"@mycompany/auth": "1.0.0"
"@mycompany/auth": "1.0.0"

Attacker publishes to npm

攻击者发布到npm公共库

"@mycompany/auth": "99.0.0"
"@mycompany/auth": "99.0.0"

npm might install attacker's version!

npm可能会安装攻击者的版本!

undefined
undefined

Prevention

防范措施

  1. Use scoped packages for internal packages:
    json
    {
  "name": "@mycompany/internal-package"
}
  2. Configure npm to only use internal registry for your scope:
    bash
    # .npmrc
@mycompany:registry=https://npm.mycompany.com
  3. Don't publish internal packages to public npm
  1. 内部包使用作用域命名:
    json
    {
  "name": "@mycompany/internal-package"
}
  2. 配置npm仅从内部 registry 拉取你的作用域包:
    bash
    # .npmrc
@mycompany:registry=https://npm.mycompany.com
  3. 不要将内部包发布到公共npm库

Scripts/security-check.sh

Scripts/security-check.sh

bash
#!/bin/bash

echo "================================="
echo "Security & Dependency Check"
echo "================================="
echo ""

echo "=== Security Audit ==="
npm audit --production

echo ""
echo "=== Outdated Packages ==="
npm outdated

echo ""
echo "================================="
echo "To fix vulnerabilities:"
echo "  npm audit fix              (safe patch/minor updates)"
echo "  npm audit fix --force      (risky major updates)"
echo ""
echo "To update outdated packages:"
echo "  npm update                 (respects semver)"
echo "  npm update package-name    (specific package)"
echo "================================="
bash
#!/bin/bash

echo "================================="
echo "Security & Dependency Check"
echo "================================="
echo ""

echo "=== Security Audit ==="
npm audit --production

echo ""
echo "=== Outdated Packages ==="
npm outdated

echo ""
echo "================================="
echo "To fix vulnerabilities:"
echo "  npm audit fix              (safe patch/minor updates)"
echo "  npm audit fix --force      (risky major updates)"
echo ""
echo "To update outdated packages:"
echo "  npm update                 (respects semver)"
echo "  npm update package-name    (specific package)"
echo "================================="

Using Snyk for Enhanced Security

使用Snyk增强安全能力

Install Snyk

安装Snyk

bash
npm install -g snyk
bash
npm install -g snyk

Authenticate

身份认证

snyk auth
undefined
snyk auth
undefined

Scan for Vulnerabilities

漏洞扫描

bash
undefined
bash
undefined

Test project

测试项目

snyk test
snyk test

Monitor project (continuous monitoring)

监控项目(持续监控)

snyk monitor
snyk monitor

Test specific package before installing

安装前测试指定包

snyk test package-name
undefined
snyk test package-name
undefined

Add to CI/CD

集成到CI/CD

yaml
undefined
yaml
undefined

.github/workflows/security.yml

.github/workflows/security.yml

name: Security Audit
on: push: branches: [ main ] pull_request: branches: [ main ] schedule: # Run daily at 2am - cron: '0 2 * * *'
jobs: security: runs-on: ubuntu-latest
steps:
  - uses: actions/checkout@v4

  - name: Setup Node.js
    uses: actions/setup-node@v4
    with:
      node-version: '18'

  - name: Install dependencies
    run: npm ci

  - name: Run npm audit
    run: npm audit --production

  - name: Check for outdated packages
    run: npm outdated || true

  - name: Run Snyk test
    run: npx snyk test --severity-threshold=high
    env:
      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
undefined
name: Security Audit
on: push: branches: [ main ] pull_request: branches: [ main ] schedule: # 每天凌晨2点运行 - cron: '0 2 * * *'
jobs: security: runs-on: ubuntu-latest
steps:
  - uses: actions/checkout@v4

  - name: Setup Node.js
    uses: actions/setup-node@v4
    with:
      node-version: '18'

  - name: Install dependencies
    run: npm ci

  - name: Run npm audit
    run: npm audit --production

  - name: Check for outdated packages
    run: npm outdated || true

  - name: Run Snyk test
    run: npx snyk test --severity-threshold=high
    env:
      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
undefined

Monitoring for New Vulnerabilities

新漏洞监控

GitHub Dependabot

GitHub Dependabot

Enable in GitHub:
  1. Go to repository Settings
  2. Security & analysis
  3. Enable "Dependabot alerts"
  4. Enable "Dependabot security updates"
What it does:
  • Scans dependencies daily
  • Creates PR when vulnerability found
  • Automatically updates to fix version
  • You review and merge
在GitHub中开启:
  1. 进入仓库设置页面
  2. 找到安全与分析板块
  3. 开启“Dependabot alerts”
  4. 开启“Dependabot security updates”
功能说明:
  • 每日扫描依赖
  • 发现漏洞时自动创建PR
  • 自动更新到修复版本
  • 你只需审核合并即可

npm Audit in CI/CD

CI/CD中集成npm Audit

bash
undefined
bash
undefined

Add to CI/CD pipeline

加入CI/CD流水线

npm audit --production --audit-level=moderate

**Fails build if:**
- Any moderate or higher vulnerabilities found
- Forces you to fix before deploy
npm audit --production --audit-level=moderate

**触发构建失败的条件:**
- 发现任何中危及以上漏洞
- 强制你在部署前修复

What Dependency Security Prevents

依赖安全的防护范围

Known vulnerability exploitation - Regular audits catch CVEs ✅ Malicious package injection - Verification prevents tampering ✅ Supply chain attacks - Package-lock.json + verification ✅ Dependency confusion - Scoped packages + registry config ✅ Typosquatting attacks - Manual verification before install ✅ Outdated vulnerable code - Regular update routine ✅ Zero-day exploitation window - Fast patching reduces risk
已知漏洞利用 - 定期审计可捕获CVE漏洞 ✅ 恶意包注入 - 完整性校验可防范篡改 ✅ 供应链攻击 - Package-lock.json+完整性校验双重防护 ✅ 依赖混淆 - 作用域包+registry配置防护 ✅ 拼写抢注攻击 - 安装前人工校验防护 ✅ 过期漏洞代码 - 定期更新机制防护 ✅ 零日漏洞利用窗口 - 快速补丁降低风险

Common Mistakes to Avoid

要避免的常见错误

DON'T ignore npm audit warningsDON'T use deprecated packagesDON'T skip testing after dependency updatesDON'T add package-lock.json to .gitignoreDON'T install packages without checking them firstDON'T run npm audit fix --force without testing
DO run npm audit before every deployDO commit package-lock.jsonDO verify new packages before installingDO update dependencies monthlyDO enable Dependabot alertsDO use npm ci in CI/CD
不要忽略npm audit警告不要使用已废弃的包依赖更新后不要跳过测试不要将package-lock.json加入.gitignore不要未经检查就安装包不要未经测试就运行npm audit fix --force
每次部署前必须运行npm audit必须提交package-lock.json安装新包前必须验证每月必须更新依赖必须开启Dependabot告警CI/CD中必须使用npm ci

Quick Reference Commands

快速参考命令

bash
undefined
bash
undefined

Check for vulnerabilities

检查漏洞

npm audit npm audit --production
npm audit npm audit --production

Fix vulnerabilities

修复漏洞

npm audit fix # Safe npm audit fix --force # Risky, test thoroughly
npm audit fix # 安全 npm audit fix --force # 高风险,需全面测试

Check outdated packages

检查过期包

npm outdated
npm outdated

Update packages

更新包

npm update # All packages npm update package-name # Specific package
npm update # 所有包 npm update package-name # 指定包

Install from lock file (CI/CD)

从锁文件安装(CI/CD用)

npm ci
npm ci

Run security check script

运行安全检查脚本

bash scripts/security-check.sh
bash scripts/security-check.sh

Test with Snyk

使用Snyk测试

npx snyk test
undefined
npx snyk test
undefined

References

参考资料

Next Steps

后续步骤

  • For pre-deployment checks: Use 
    security-testing
    skill
  • For CI/CD integration: Add npm audit to pipeline
  • For monitoring: Enable GitHub Dependabot alerts
  • For enhanced scanning: Install Snyk
  • 部署前检查:使用
    security-testing
    技能
  • CI/CD集成:将npm audit加入流水线
  • 监控:开启GitHub Dependabot告警
  • 增强扫描:安装Snyk