10 npm Security Best Practices for 2025

npm makes it stupidly easy to add code to your project. That's the problem.

Every npm install is a trust decision. You're letting someone else's code run on your machine, with your permissions, accessing your files.

Here's how to not get burned.

1. Actually Read What You're Installing

I know, I know. Nobody does this. But at minimum, check:

• How many downloads does it have?
• When was it last updated?
• Who's the publisher?

A package with 50 downloads from last week? That's a red flag.

2. Use a Lockfile and Actually Commit It

package-lock.json exists for a reason. It pins exact versions so you don't accidentally get a compromised update.

If someone on your team hasn't committed the lockfile, go yell at them. Nicely.

3. Run npm audit (But Don't Trust It Blindly)

npm audit is built in. Use it. It catches known vulnerabilities.

But here's the thing — it only catches known issues. It won't flag a brand-new malicious package. That's why you need layered security.

4. Be Skeptical of Tiny Packages

"is-even", "is-odd", "left-pad". Remember left-pad?

Tiny packages add dependencies, which add more dependencies. Your simple project ends up with 800 packages. Each one is an attack surface.

Ask yourself: "Can I just write this myself in 5 lines?"

5. Check for Typosquats Before Installing

"loadsh" is not "lodash". People make this mistake constantly, and attackers know it.

Double-check the spelling. Or use a tool like Redakta that does it for you.

6. Don't Install Globally Unless You Must

npm install -g sketchy-package gives that package access to your entire system. Bad idea.

Use npx for one-off commands. Keep global installs to trusted tools only.

7. Review Install Scripts

Packages can run code during npm install via preinstall/postinstall scripts. This is where a lot of attacks happen.

Check package.json for scripts before installing unknown packages. Or use npm install --ignore-scripts when you're paranoid.

8. Keep Everything Updated

Old dependencies have known vulnerabilities. That's just how it works.

Run npm outdated regularly. Update what you can. If a package hasn't been updated in 2+ years, maybe find an alternative.

9. Use Two-Factor Auth on npm

If you publish packages, enable 2FA. If your account gets compromised, attackers can push malicious updates to all your users.

This has happened to major packages. Don't be next.

10. Automate Security Scanning

Manual checks don't scale. You'll forget. Your teammates will forget.

Set up automated scanning in your CI/CD pipeline. Every push gets checked. Bad packages get caught before they reach production.

Wrapping Up

npm isn't going anywhere. It's too useful. But that convenience comes with responsibility.

You don't need to be paranoid about every package. Just... don't be naive either. A bit of caution goes a long way.