How to Mitigate Risk Associated With Node.js Dependencies
Overview
This document explains the settings and steps you should take to mitigate risks associated with Node.js dependencies. Follow these steps to reduce risks to your project.
Built-in npm Settings
If your project uses npm, set the following options in your .npmrc file:
min-release-age=1
ignore-scripts=true
allow-git=noneYou can easily add these settings with one simple command from the root of your project's directory:
npm config set min-release-age=1 ignore-scripts=true allow-git=none --location=projectPlease note: The settings above require
npm 11.10.0+. Iron Bank's images will be shipping with these versions, which can also be used for local development.
min-release-age
What It Is
npm has the .npmrc setting min-release-age that requires package versions to be at least N days old before npm will install them.
How It Behaves
If no release candidate can be found, the age requirement npm install will exit with a non-zero status.
How It Benefits Your Team
- Delays installation of newly published packages until they meet a minimum age to reduce exposure to rapid-publish malware attacks that exist only briefly.
- Provides a built-in buffer against newly introduced malicious versions.
- Offers stronger protection than version pinning, as compromised updates can still enter through transitive dependencies.
Required Action
Add min-release-age= to your .npmrc with a value between 1 and 3 (represents days).
ignore-scripts
What It Is
npm has the .npmrc setting ignore-scripts=true, which blocks all lifecycle scripts during installs (preinstall, postinstall, etc.).
How It Behaves
When you install dependencies with ignore-scripts enabled, npm will still download and install the packages, but it will not run any lifecycle scripts (like preinstall, install, or postinstall).
How It Benefits Your Team
- Some Node.js dependencies include scripts that run on install (such as preinstall, postinstall, and prepare). These scripts are a common vector for supply chain attacks and are discouraged due to the added complexity and security risks they introduce. Newer package managers (e.g., pnpm) disable them by default
- Prevents common malware behaviors (such as crypto-mining, credential exfiltration, and remote access tools) through blocking.
- Provides significant risk reduction with minimal impact to most projects.
Required Action
Add ignore-scripts=true to your .npmrc.
allow-git
What It Is
npm has the .npmrc setting allow-git=none, which prevents the installation of git‑based dependencies.
How It Behaves
Stops git dependencies from being installed when running npm install.
How It Benefits Your Team
- Prevents dependencies from being installed directly from Git repositories (such as GitHub or GitLab). Git‑sourced installs bypass the registry and often bypass versioning, integrity, provenance, and automated review.
- Eliminates a major attack vector, including risks from compromised repositories or force-pushed malicious code.
Required Action
Add allow-git=none to your .npmrc.
Built-in Yarn Classic Settings
As of 17 April 2026, we are using version 1.22.22 of Yarn (aka yarn classic). This version only supports ignore-scripts.
We recommend you use the following setting in your project's .yarnrc file if you are using yarn:
ignore-scripts true