Laurie Voss, co-founder of NPM, recently sent out this tweet highlighting that a major bank has published a private package to the npm registry… and left it there for over 3 years. For those who don’t know, npm is a major Software repository that holds the public Node.js libraries. It’s also classified as the largest Software registry in the world. So yes, certainly a big deal.
I have seen npm really up its game lately through enforcing security at the package level. Node.js will notify you if a package is out-of-date and remind you to do an update to fix any potential security vulnerables and bugs. A great way to elevate the level of security for Node.js across the board.
But this event did not happen on the Node.js side. It happened on the organisation side. Setting up an intermediate repository is a great solution to enhance the security of an organisation, as it utilises the separation-of-concern (SoC) design principle used to reduce the risk of something like this to occur. Exercising security best practices is another way to mitigate this risk.
Node.js security has been a major topic of discussion over the past few years, and these types of events are likely to happen. Nicely handled by Laurie on this though, making sure the public is well-informed and doubly sure that no private repos are up there!