How to Protect Against Dependency Confusion in CI
Dependency confusion tricks a build into pulling a public package that shadows an internal one; scope and registry pinning stop it.
Publish internal packages under a reserved scope (@yourorg/*) and bind that scope to your private registry in .npmrc. With the scope mapped, npm never falls back to the public registry for internal names, closing the confusion vector.
Steps
- Move internal packages under a dedicated
@scope. - Map that scope to the private registry in
.npmrc. - Reserve the scope on the public registry so no one can claim it.
.npmrc
.npmrc
@yourorg:registry=https://npm.internal.example.com
//npm.internal.example.com/:_authToken=${REGISTRY_TOKEN}
registry=https://registry.npmjs.orgGotchas
- Unscoped internal names remain vulnerable; the scope mapping is what isolates them.
- Commit
.npmrcwithout the token and inject the token from a secret at build time.
Related guides
How to Use a Private or Proxied Registry in CIRoute CI package installs through a private or proxied registry so builds pull vetted, cached artifacts from…
How to Enforce Lockfile Integrity in CIEnforce exact, reproducible dependency installs in CI with npm ci and frozen-lockfile modes, so a mismatched…