Why you should use an npm proxy for your JavaScript

Photo by jesse ramirez on Unsplash

This short post talks about how using a private npm proxy helps improve control and security when using JavaScript packages in general and npm in particular.

• Want to visualize your package dependencies?
• Enforce security policies?
• Manage your dependency on the public npm registry?

Read on to see why setting up and using an npm proxy is something you should consider.

Disclaimer: I originally posted an extended version of this article on bytesafe.dev on April 9, 2020.To read the complete post there with more insights on the benefits of using Bytesafe as your private registry provider, click here

Why an npm proxy is a good idea

Millions of developers use the public npm registry every day and with its >1.3 million packages it is an important asset in the JavaScript ecosystem (recent news that GitHub has acquired npm, Inc only emphazises that).

But with the convenience of the public npm registry and the development speed all those available open source packages entail, comes downsides for keeping track of and managing all those dependencies.

Therefore, taking steps to improve control over dependencies and overall security when using npm is a necessity for any organization that want to manage their code supply chain (and not blindly trust code from external sources).

And one of the first things that is usually mentioned for improved npm security is the use of an npm proxy.

Control over dependencies — How?

There are multiple ways an npm proxy enables better dependency control:

• Central registry: an npm proxy acts as a central registry for all your required package versions. Private and public together, possibly from multiple upstream sources.
• Visualization of dependencies: With all required packages in one place it enables identification of a potential issues. Additionally the proxy caches your packages, removing the worry that an essential package version will be unpublished in the future.
• Single source: With all developers using the same proxy registry, all users make use of the same package source and versions. Removing the potential issue of unknowingly building with different versions of a dependency.

Improved security — How?

Using an npm proxy enables a layer of separation between your organization and the outside JavaScript world.

• Policies: an npm proxy introduces an important layer where you can enforce the security policies your organization require.
• License compliance: all dependencies in one place to review or scan for problematic licenses
• Security scanning: review dependencies for known vulnerabilities and security problems

Using Bytesafe as a proxy

Bytesafe’s hosted private npm registries by default works as an npm proxy. All that is required is a configured upstream to your registry. Enabling the benefits of both an npm proxy and the additional benefits that Bytesafe offers to your workflow (and Bytesafe is available as free account btw).

Example workflow when using a Bytesafe registry as an npm proxy

When using Bytesafe, developers configure their npm client to interact with the Bytesafe private registry instead of the (default) public registry.

Example of using npm client with a Bytesafe registry (use ‘— registry’ flag or change default registry using ‘npm config set registry’)

With the npm client no longer directly linked to the public registry, it results in the following workflow:

Developers publish/install package versions to/from the Bytesafe private registry — no interaction directly with the public registry. No need to change any behavior or usage patterns. Using regular tools and clients.

Proxy registry holds all public and private packages and any required dependencies. If a package version is required that is not in the proxy registry it is pulled from upstreams.

Upstreams registries provide proxy registry with package versions (when required) and is the target for push of packages from proxy. Upstreams can be either a single registry or multiple registries.

Recap

Setting up and using a npm proxy is an easy and effective way to keep JavaScript dependencies in check and improve security when using npm. Without impacting or changing the workflow for developers. If your organization wants to stay in control and manage your code supply chain you should setup an npm proxy.

Bytesafe offers hosted, private, reliable and free private npm registries that helps your organization / team to collaborate on your JavaScript code. In addition Bytesafe offers a growing list of Policies & Plugins that aim to simplify your JavaScript workflow (e.g. Freezing registry states, auto-forwarding package versions to upstreams, security scanning and more)

For more details, visit Bytesafe.