Skip to content
Latchkey

How to Protect Against Dependency Confusion in CI

Dependency confusion tricks a build into pulling a public package that shadows an internal one; scope and registry pinning stop it.

Publish internal packages under a reserved scope (@yourorg/*) and bind that scope to your private registry in .npmrc. With the scope mapped, npm never falls back to the public registry for internal names, closing the confusion vector.

Steps

  • Move internal packages under a dedicated @scope.
  • Map that scope to the private registry in .npmrc.
  • Reserve the scope on the public registry so no one can claim it.

.npmrc

.npmrc
@yourorg:registry=https://npm.internal.example.com
//npm.internal.example.com/:_authToken=${REGISTRY_TOKEN}
registry=https://registry.npmjs.org

Gotchas

  • Unscoped internal names remain vulnerable; the scope mapping is what isolates them.
  • Commit .npmrc without the token and inject the token from a secret at build time.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →