Local development security
Given the emerging supply chain attacks, it is not enough to rely on CI security checks.
Those only safeguard CI itself, and prevent merging compromised code to develop.
Additional hardening for local development is highly recommended for developers to work safely with npm packages (adding new npm packages, updating existing ones).
PMG by SafeDep
pmg is a tool that wraps yarn, and scans packages that are being fetched from npm registry for known malicious code.
PMG was chosen because it is fully open source, with permissible license, works well with yarn and can easily be built from source.
You can refer to the official documentation for more details.
See their Quick start README for setup instructions.
Note that building from source is a viable option.
You can test it by running yarn add [email protected] (PMG blocks the package as if it was malicious).
Alternatives
- SFW was explored previously, but rejected due to being closed source and higher setup complexity.
- DataDog firewall was rejected because it doesn’t support
yarn