Skip to content

Commit c579985

Browse files
Add package management clarification (#135)
1 parent bbe6ca7 commit c579985

1 file changed

Lines changed: 24 additions & 2 deletions

File tree

docs/standards/node_standards.md

Lines changed: 24 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,8 @@ min-release-age=7
4141
| `ignore-scripts=true` | Prevents npm from running lifecycle scripts such as `preinstall` and `postinstall` during package installation. This blocks a common vector for arbitrary code execution from malicious or compromised packages. Note: some packages that compile native bindings require lifecycle scripts to function. If any packages genuinely need it, then `--ignore-scripts=false` can be passed to the relevant `npm install` command. |
4242
| `min-release-age=7` | Refuses to install packages published fewer than 7 days ago. This provides a window to detect package takeover or typosquatting attacks before they reach your codebase. Studies have shown that most malicious packages are detected within this timeframe. |
4343

44+
> Note: from v12 of npm, `ignore-scripts` is set to `true` by default.
45+
4446
To apply these settings you must also configure them globally across all projects on your machine. Run the following commands to ensure you are protected from any repository you interact with, even if you don't own it.
4547

4648
```sh
@@ -53,6 +55,23 @@ Or add the three lines directly to your global npm configuration file at `~/.npm
5355

5456
> There may be scenarios where it would be advantageous to bypass the seven day release age requirement, such as when you need to immediately patch a vulnerability. In these cases, you should do appropriate due diligence on the package and its publisher before installing it, and consider temporarily disabling the setting if necessary. You can bypass the setting for a single install command with `--min-release-age=0`.
5557
58+
#### Other package management tools
59+
60+
npm has been chosen as our standard package management tool as it is the most widely used and supported. Using a common package management tool enables us to share knowledge and best practices across teams. Particularly in response to supply chain attacks.
61+
62+
There may be scenarios where there is evidence that another package management tool is more appropriate for a more niche project setup.
63+
64+
These potential benefits must be weighed against the disadvantages of using a less common package management tool, such as:
65+
- less community support and documentation
66+
- less knowledge sharing across teams
67+
- isolated and increased response effort to supply chain attacks
68+
- requirement to learn how the tool's package resolution and dependency management works, which may be different to npm
69+
- because dependency resolution and vulnerability auditing vary between package managers, teams need to understand the different supply-chain risks and attack paths each tool introduces.
70+
71+
Any package management tool must be supported by GitHub Advanced Security for vulnerability and malware scanning to the same level as npm.
72+
73+
Use of package management tools other than npm must be approved at the appropriate governance level. Please speak to a Principal Developer for more information.
74+
5675
### Server framework
5776
- Our standard framework is [Hapi](https://hapijs.com/).
5877
- Be aware of the [Hapi support timeline](https://hapi.dev/support/#plans).
@@ -61,6 +80,7 @@ Or add the three lines directly to your global npm configuration file at `~/.npm
6180
considered unmaintainable and unsupportable until brought up to an appropriate version.
6281

6382
### CommonJS vs ES modules
83+
6484
- ES modules should be used by default over CommonJS modules.
6585
- For scenarios where ES modules are not appropriate then CommonJS may be used.
6686

@@ -72,5 +92,7 @@ This standard was formally adopted on 8 January 2020.
7292

7393
### Significant changes
7494

75-
Clarification on preference between CommonJS and ESM added 29 July 2024.
76-
Add .npmrc security settings added 1 May 2026.
95+
- Clarification on preference between CommonJS and ESM added 29 July 2024.
96+
- Add `.npmrc` security settings added 1 May 2026.
97+
- Clarification on use of other package management tools added 18 June 2026.
98+

0 commit comments

Comments
 (0)