From 0dff8842ef5cc06577621d85e1dc654075f76944 Mon Sep 17 00:00:00 2001 From: Kyle Martin Date: Fri, 5 Apr 2019 14:09:41 +1300 Subject: [PATCH 1/4] New BP 6.25 avoid publishing secrets to npm --- README.md | 17 ++++++++- sections/security/avoid_publishing_secrets.md | 38 +++++++++++++++++++ 2 files changed, 53 insertions(+), 2 deletions(-) create mode 100644 sections/security/avoid_publishing_secrets.md diff --git a/README.md b/README.md index 0cf0dd3e..f93a0290 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@
- 81 items Last update: March 10, 2019 Updated for Node 10.15.3 LTS + 82 items Last update: March 10, 2019 Updated for Node 10.15.3 LTS

@@ -26,6 +26,8 @@ Read in a different language: [![CN](/assets/flags/CN.png)**CN**](/README.chines # Latest Best Practices and News +- **New best practice:** 6.25: [Avoid publishing secrets to the npm registry](/sections/security/avoid_publishing_secrets.md) + - **New translation:** ![BR](/assets/flags/BR.png) [Brazilian Portuguese](/README.brazilian-portuguese.md) available now, courtesy of [Marcelo Melo](https://github.com/marcelosdm)! ❤️ - **New best practice:** 4.2: Include 3 parts in each test name - [_From the section "Testing and overall quality"_](https://github.com/i0natan/nodebestpractices#4-testing-and-overall-quality-practices) @@ -689,7 +691,7 @@ All statements above will return false if used with `===` # `6. Security Best Practices`
-53 items +54 items
## ![✔] 6.1. Embrace linter security rules @@ -973,6 +975,17 @@ All statements above will return false if used with `===` 🔗 [**Read More: Prevent unsafe redirects**](/sections/security/saferedirects.md) +

+ +## ![✔] 6.25. Avoid publishing secrets to the npm registry + + + +**TL;DR:** Precautions should be taken to avoid the risk of accidentally publishing secrets to public npm registries. An `.npmignore` file can be used to blacklist specific files or folders, or the `files` array in `package.json` can act as a whitelist. + +**Otherwise:** Your project's API keys, passwords or other secrets are open to be abused by anyone who comes across them, which may result in financial loss, impersonation, and other risks. + +🔗 [**Read More: Avoid publishing secrets**](/sections/security/avoid_publishing_secrets.md)


⬆ Return to top

diff --git a/sections/security/avoid_publishing_secrets.md b/sections/security/avoid_publishing_secrets.md new file mode 100644 index 00000000..699c2d1d --- /dev/null +++ b/sections/security/avoid_publishing_secrets.md @@ -0,0 +1,38 @@ +# Avoid publishing secrets to the npm registry + +### One Paragraph Explainer +Precautions should be taken to avoid the risk of accidentally publishing secrets to public npm registries. An `.npmignore` file can be used to blacklist specific files or folders, or the `files` array in `package.json` can act as a whitelist. + +It is important to note that if a project is utilising both `.npmignore` and `.gitignore` files, everything which isn't in `.npmignore` is published to the registry(i.e. the `.npmignore` file overrides the `.gitignore`). This condition is a common source of confusion and is a problem that can lead to leaking secrets. Developers may end up updating the `.gitignore` file, but forget to update `.npmignore` as well, which can lead to a potentially sensitive file not being pushed to source control, but still being included in the npm package. + +### Code example +Example .npmignore file +``` +#tests +test +coverage + +#build tools +.travis.yml +.jenkins.yml + +#environment +.env +.config + +``` + +Example use of files array in package.json + +``` +{ "files" : [ + "dist/moment.js", + "dist/moment.min.js" + ] +} +``` + +### What other bloggers say + +From the blog by [Liran Tal & Juan Picado at Snyk](https://snyk.io/blog/ten-npm-security-best-practices/): +> ... Another good practice to adopt is making use of the files property in package.json, which works as a whitelist and specifies the array of files to be included in the package that is to be created and installed (while the ignore file functions as a blacklist). The files property and an ignore file can both be used together to determine which files should explicitly be included, as well as excluded, from the package. When using both, the former the files property in package.json takes precedence over the ignore file. \ No newline at end of file From 537b4bf83dca6f4654c15a044ac9877c25ea97f5 Mon Sep 17 00:00:00 2001 From: Kyle Martin Date: Fri, 5 Apr 2019 14:12:51 +1300 Subject: [PATCH 2/4] indent --- sections/security/avoid_publishing_secrets.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sections/security/avoid_publishing_secrets.md b/sections/security/avoid_publishing_secrets.md index 699c2d1d..79281a29 100644 --- a/sections/security/avoid_publishing_secrets.md +++ b/sections/security/avoid_publishing_secrets.md @@ -25,10 +25,11 @@ coverage Example use of files array in package.json ``` -{ "files" : [ +{ + "files" : [ "dist/moment.js", "dist/moment.min.js" - ] + ] } ``` From 963c0b860c5d1a3849585baa2acaf76535274c74 Mon Sep 17 00:00:00 2001 From: Kyle Martin Date: Fri, 5 Apr 2019 14:20:37 +1300 Subject: [PATCH 3/4] Add npm blog --- sections/security/avoid_publishing_secrets.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sections/security/avoid_publishing_secrets.md b/sections/security/avoid_publishing_secrets.md index 79281a29..e1629503 100644 --- a/sections/security/avoid_publishing_secrets.md +++ b/sections/security/avoid_publishing_secrets.md @@ -36,4 +36,7 @@ Example use of files array in package.json ### What other bloggers say From the blog by [Liran Tal & Juan Picado at Snyk](https://snyk.io/blog/ten-npm-security-best-practices/): -> ... Another good practice to adopt is making use of the files property in package.json, which works as a whitelist and specifies the array of files to be included in the package that is to be created and installed (while the ignore file functions as a blacklist). The files property and an ignore file can both be used together to determine which files should explicitly be included, as well as excluded, from the package. When using both, the former the files property in package.json takes precedence over the ignore file. \ No newline at end of file +> ... Another good practice to adopt is making use of the files property in package.json, which works as a whitelist and specifies the array of files to be included in the package that is to be created and installed (while the ignore file functions as a blacklist). The files property and an ignore file can both be used together to determine which files should explicitly be included, as well as excluded, from the package. When using both, the former the files property in package.json takes precedence over the ignore file. + +From the [npm blog](https://blog.npmjs.org/post/165769683050/publishing-what-you-mean-to-publish) +> ... When you run npm publish, npm bundles up all the files in the current directory. It makes a few decisions for you about what to include and what to ignore. To make these decisions, it uses the contents of several files in your project directory. These files include .gitignore, .npmignore, and the files array in the package.json. It also always includes certain files and ignores others. \ No newline at end of file From 7eff9f57fbd06a3318324c174d44e7826fadaef6 Mon Sep 17 00:00:00 2001 From: Kyle Martin Date: Fri, 5 Apr 2019 14:23:14 +1300 Subject: [PATCH 4/4] add dryrun detail --- sections/security/avoid_publishing_secrets.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sections/security/avoid_publishing_secrets.md b/sections/security/avoid_publishing_secrets.md index e1629503..934325bb 100644 --- a/sections/security/avoid_publishing_secrets.md +++ b/sections/security/avoid_publishing_secrets.md @@ -3,6 +3,8 @@ ### One Paragraph Explainer Precautions should be taken to avoid the risk of accidentally publishing secrets to public npm registries. An `.npmignore` file can be used to blacklist specific files or folders, or the `files` array in `package.json` can act as a whitelist. +To gain a view of what npm publish will really publish to the registry, the `--dry-run` flag can be added the npm publish command to provide a verbose view of the tarbell package created. + It is important to note that if a project is utilising both `.npmignore` and `.gitignore` files, everything which isn't in `.npmignore` is published to the registry(i.e. the `.npmignore` file overrides the `.gitignore`). This condition is a common source of confusion and is a problem that can lead to leaking secrets. Developers may end up updating the `.gitignore` file, but forget to update `.npmignore` as well, which can lead to a potentially sensitive file not being pushed to source control, but still being included in the npm package. ### Code example