2018-12-07
1008
#node
Alberto Gimeno
105
Dec 7, 2018 â‹… 3 min read

How to protect your Node.js applications from malicious dependencies

Alberto Gimeno Ecosystem Engineer at GitHub. Sometimes I write about JavaScript, Node.js, and frontend development.

Recent posts:

A Complete Guide to Fetch API In Javascript

A complete guide to Fetch API in JavaScript

Learn how to use the Fetch API, an easy method for fetching resources from a remote or local server through a JavaScript interface.

Njong Emy
Mar 17, 2025 â‹… 8 min read
typescript enums

TypeScript enums: Usage, advantages, and best practices

Learn how TypeScript enums work, the difference between numeric and string enums, and when to use enums vs. other alternatives.

Clara Ekekenta
Mar 14, 2025 â‹… 7 min read
how to handle react-scripts in a fast-changing React landscape

How to handle react-scripts in a fast-changing React landscape

Review the basics of react-scripts, its functionality, status in the React ecosystem, and alternatives for modern React development.

Ibrahima Ndaw
Mar 13, 2025 â‹… 9 min read
how to delete local and remote branches in Git

How to delete local and remote branches in Git

Explore the fundamental commands for deleting local and remote branches in Git, and discover more advanced branch management techniques.

Timonwa Akintokun
Mar 13, 2025 â‹… 7 min read
View all posts

2 Replies to "How to protect your Node.js applications from malicious dependencies"

  1. This method is good for standard methods, but do you know what is a good way to block calls at the system level? When calls reach the v8 engine or uv, it should be able to implement a gating mechanism where the user can be asked consent.
    This model is similar to android apps where we are told the permissions that the app requires in advance, and any additional access is denied till the user explicitly approves it.

  2. I actually created a library that does something very similar to this, but uses a more sensible approach for permissions. It also differentiates between 1st/3rd party code so that your main application doesn’t have to jump through hoops https://github.com/yaakov123/hagana

Leave a Reply