Last week's Lottie-Player compromise showed how NPM's lack of mandatory security controls continues to make supply chain attacks effective. While investigating popular JavaScript libraries, I found that most don't leverage NPM's provenance attestation, proper version pinning, or SRI checks.
The concerning patterns I found:
- Major packages (react, lodash, express) don't use NPM provenance
- Widespread use of @latest tags in production
- Missing SRI checks in CDN deployments
- No server-side enforcement of attestation
- Client-side tooling lacks verification options
Last week's Lottie-Player compromise showed how NPM's lack of mandatory security controls continues to make supply chain attacks effective. While investigating popular JavaScript libraries, I found that most don't leverage NPM's provenance attestation, proper version pinning, or SRI checks.
The concerning patterns I found:
- Major packages (react, lodash, express) don't use NPM provenance - Widespread use of @latest tags in production - Missing SRI checks in CDN deployments - No server-side enforcement of attestation - Client-side tooling lacks verification options
https://github.com/twbs/icons/pull/2077 testing first project with 30m downloads