• Force MFA + scoped tokens for every publish-capable account.
  • Mirror your internal registry through a hardened proxy that re-validates integrity on every fetch.
  • For a deeper dive into broader dependency review culture, see our earlier playbook on why your lockfile lies when you use plain install in CI and the case for failing fast when plugins release unsigned zips. If you are still relying on visual PR review for dependency updates, also read our guide on typosquatted package names sneaking into CI.

    FAQ

    Is package-lock.json integrity enough to stop supply chain attacks?

    No. Integrity hashes only prove the bytes you received. Attackers who control a registry, a maintainer account, or a lifecycle script can still ship malicious code that passes the integrity check. Pair lockfile integrity with provenance, scoped registries, and sandboxed installs.

    Why does npm ci matter for security?

    npm ci refuses to mutate the lockfile and installs the exact tree your team reviewed. npm install can silently re-resolve, update, or rewrite entries, which is the entire point of an integrity bypass. Senior teams default to npm ci on every CI job and gate npm install behind dependency-update PRs.

    Should I disable lifecycle scripts globally?

    Use --ignore-scripts on CI by default, then enable scripts in a sandboxed runner only for the few packages that genuinely need them. This breaks native build packages, so build a small allowlist and keep your supply chain surface tight.

    Make the Lockfile Loud, Not Polite

    Integrity bypass techniques succeed because most teams let the lockfile stay polite: present, occasionally updated, never challenged. The senior engineering move is to make it loud. Lock it, sign it, replay it, and reject drift the moment it shows up.

    If you want more advanced supply chain playbooks, drop into our Google newsletter below. We ship one field-tested CI hardening breakdown every Friday, straight from real incident reviews.

  • Schedule weekly npm ls --all triage for newly discovered transitive packages.
  • Generate CycloneDX or SPDX SBOMs and compare against the prior release.
  • Force MFA + scoped tokens for every publish-capable account.
  • Mirror your internal registry through a hardened proxy that re-validates integrity on every fetch.
  • For a deeper dive into broader dependency review culture, see our earlier playbook on why your lockfile lies when you use plain install in CI and the case for failing fast when plugins release unsigned zips. If you are still relying on visual PR review for dependency updates, also read our guide on typosquatted package names sneaking into CI.

    FAQ

    Is package-lock.json integrity enough to stop supply chain attacks?

    No. Integrity hashes only prove the bytes you received. Attackers who control a registry, a maintainer account, or a lifecycle script can still ship malicious code that passes the integrity check. Pair lockfile integrity with provenance, scoped registries, and sandboxed installs.

    Why does npm ci matter for security?

    npm ci refuses to mutate the lockfile and installs the exact tree your team reviewed. npm install can silently re-resolve, update, or rewrite entries, which is the entire point of an integrity bypass. Senior teams default to npm ci on every CI job and gate npm install behind dependency-update PRs.

    Should I disable lifecycle scripts globally?

    Use --ignore-scripts on CI by default, then enable scripts in a sandboxed runner only for the few packages that genuinely need them. This breaks native build packages, so build a small allowlist and keep your supply chain surface tight.

    Make the Lockfile Loud, Not Polite

    Integrity bypass techniques succeed because most teams let the lockfile stay polite: present, occasionally updated, never challenged. The senior engineering move is to make it loud. Lock it, sign it, replay it, and reject drift the moment it shows up.

    If you want more advanced supply chain playbooks, drop into our Google newsletter below. We ship one field-tested CI hardening breakdown every Friday, straight from real incident reviews.

  • Run npm audit signatures on every install; fail builds without provenance.
  • Schedule weekly npm ls --all triage for newly discovered transitive packages.
  • Generate CycloneDX or SPDX SBOMs and compare against the prior release.
  • Force MFA + scoped tokens for every publish-capable account.
  • Mirror your internal registry through a hardened proxy that re-validates integrity on every fetch.
  • For a deeper dive into broader dependency review culture, see our earlier playbook on why your lockfile lies when you use plain install in CI and the case for failing fast when plugins release unsigned zips. If you are still relying on visual PR review for dependency updates, also read our guide on typosquatted package names sneaking into CI.

    FAQ

    Is package-lock.json integrity enough to stop supply chain attacks?

    No. Integrity hashes only prove the bytes you received. Attackers who control a registry, a maintainer account, or a lifecycle script can still ship malicious code that passes the integrity check. Pair lockfile integrity with provenance, scoped registries, and sandboxed installs.

    Why does npm ci matter for security?

    npm ci refuses to mutate the lockfile and installs the exact tree your team reviewed. npm install can silently re-resolve, update, or rewrite entries, which is the entire point of an integrity bypass. Senior teams default to npm ci on every CI job and gate npm install behind dependency-update PRs.

    Should I disable lifecycle scripts globally?

    Use --ignore-scripts on CI by default, then enable scripts in a sandboxed runner only for the few packages that genuinely need them. This breaks native build packages, so build a small allowlist and keep your supply chain surface tight.

    Make the Lockfile Loud, Not Polite

    Integrity bypass techniques succeed because most teams let the lockfile stay polite: present, occasionally updated, never challenged. The senior engineering move is to make it loud. Lock it, sign it, replay it, and reject drift the moment it shows up.

    If you want more advanced supply chain playbooks, drop into our Google newsletter below. We ship one field-tested CI hardening breakdown every Friday, straight from real incident reviews.

  • Pin registry per scope in .npmrc and enforce via egress proxy.
  • Run npm audit signatures on every install; fail builds without provenance.
  • Schedule weekly npm ls --all triage for newly discovered transitive packages.
  • Generate CycloneDX or SPDX SBOMs and compare against the prior release.
  • Force MFA + scoped tokens for every publish-capable account.
  • Mirror your internal registry through a hardened proxy that re-validates integrity on every fetch.
  • For a deeper dive into broader dependency review culture, see our earlier playbook on why your lockfile lies when you use plain install in CI and the case for failing fast when plugins release unsigned zips. If you are still relying on visual PR review for dependency updates, also read our guide on typosquatted package names sneaking into CI.

    FAQ

    Is package-lock.json integrity enough to stop supply chain attacks?

    No. Integrity hashes only prove the bytes you received. Attackers who control a registry, a maintainer account, or a lifecycle script can still ship malicious code that passes the integrity check. Pair lockfile integrity with provenance, scoped registries, and sandboxed installs.

    Why does npm ci matter for security?

    npm ci refuses to mutate the lockfile and installs the exact tree your team reviewed. npm install can silently re-resolve, update, or rewrite entries, which is the entire point of an integrity bypass. Senior teams default to npm ci on every CI job and gate npm install behind dependency-update PRs.

    Should I disable lifecycle scripts globally?

    Use --ignore-scripts on CI by default, then enable scripts in a sandboxed runner only for the few packages that genuinely need them. This breaks native build packages, so build a small allowlist and keep your supply chain surface tight.

    Make the Lockfile Loud, Not Polite

    Integrity bypass techniques succeed because most teams let the lockfile stay polite: present, occasionally updated, never challenged. The senior engineering move is to make it loud. Lock it, sign it, replay it, and reject drift the moment it shows up.

    If you want more advanced supply chain playbooks, drop into our Google newsletter below. We ship one field-tested CI hardening breakdown every Friday, straight from real incident reviews.

  • Block merges on any unplanned package-lock.json or npm-shrinkwrap.json diff.
  • Pin registry per scope in .npmrc and enforce via egress proxy.
  • Run npm audit signatures on every install; fail builds without provenance.
  • Schedule weekly npm ls --all triage for newly discovered transitive packages.
  • Generate CycloneDX or SPDX SBOMs and compare against the prior release.
  • Force MFA + scoped tokens for every publish-capable account.
  • Mirror your internal registry through a hardened proxy that re-validates integrity on every fetch.
  • For a deeper dive into broader dependency review culture, see our earlier playbook on why your lockfile lies when you use plain install in CI and the case for failing fast when plugins release unsigned zips. If you are still relying on visual PR review for dependency updates, also read our guide on typosquatted package names sneaking into CI.

    FAQ

    Is package-lock.json integrity enough to stop supply chain attacks?

    No. Integrity hashes only prove the bytes you received. Attackers who control a registry, a maintainer account, or a lifecycle script can still ship malicious code that passes the integrity check. Pair lockfile integrity with provenance, scoped registries, and sandboxed installs.

    Why does npm ci matter for security?

    npm ci refuses to mutate the lockfile and installs the exact tree your team reviewed. npm install can silently re-resolve, update, or rewrite entries, which is the entire point of an integrity bypass. Senior teams default to npm ci on every CI job and gate npm install behind dependency-update PRs.

    Should I disable lifecycle scripts globally?

    Use --ignore-scripts on CI by default, then enable scripts in a sandboxed runner only for the few packages that genuinely need them. This breaks native build packages, so build a small allowlist and keep your supply chain surface tight.

    Make the Lockfile Loud, Not Polite

    Integrity bypass techniques succeed because most teams let the lockfile stay polite: present, occasionally updated, never challenged. The senior engineering move is to make it loud. Lock it, sign it, replay it, and reject drift the moment it shows up.

    If you want more advanced supply chain playbooks, drop into our Google newsletter below. We ship one field-tested CI hardening breakdown every Friday, straight from real incident reviews.

  • Require npm ci with --ignore-scripts in production builds; explicitly allow scripts only in vetted ephemeral runners.
  • Block merges on any unplanned package-lock.json or npm-shrinkwrap.json diff.
  • Pin registry per scope in .npmrc and enforce via egress proxy.
  • Run npm audit signatures on every install; fail builds without provenance.
  • Schedule weekly npm ls --all triage for newly discovered transitive packages.
  • Generate CycloneDX or SPDX SBOMs and compare against the prior release.
  • Force MFA + scoped tokens for every publish-capable account.
  • Mirror your internal registry through a hardened proxy that re-validates integrity on every fetch.
  • For a deeper dive into broader dependency review culture, see our earlier playbook on why your lockfile lies when you use plain install in CI and the case for failing fast when plugins release unsigned zips. If you are still relying on visual PR review for dependency updates, also read our guide on typosquatted package names sneaking into CI.

    FAQ

    Is package-lock.json integrity enough to stop supply chain attacks?

    No. Integrity hashes only prove the bytes you received. Attackers who control a registry, a maintainer account, or a lifecycle script can still ship malicious code that passes the integrity check. Pair lockfile integrity with provenance, scoped registries, and sandboxed installs.

    Why does npm ci matter for security?

    npm ci refuses to mutate the lockfile and installs the exact tree your team reviewed. npm install can silently re-resolve, update, or rewrite entries, which is the entire point of an integrity bypass. Senior teams default to npm ci on every CI job and gate npm install behind dependency-update PRs.

    Should I disable lifecycle scripts globally?

    Use --ignore-scripts on CI by default, then enable scripts in a sandboxed runner only for the few packages that genuinely need them. This breaks native build packages, so build a small allowlist and keep your supply chain surface tight.

    Make the Lockfile Loud, Not Polite

    Integrity bypass techniques succeed because most teams let the lockfile stay polite: present, occasionally updated, never challenged. The senior engineering move is to make it loud. Lock it, sign it, replay it, and reject drift the moment it shows up.

    If you want more advanced supply chain playbooks, drop into our Google newsletter below. We ship one field-tested CI hardening breakdown every Friday, straight from real incident reviews.

    • Require npm ci with --ignore-scripts in production builds; explicitly allow scripts only in vetted ephemeral runners.
    • Block merges on any unplanned package-lock.json or npm-shrinkwrap.json diff.
    • Pin registry per scope in .npmrc and enforce via egress proxy.
    • Run npm audit signatures on every install; fail builds without provenance.
    • Schedule weekly npm ls --all triage for newly discovered transitive packages.
    • Generate CycloneDX or SPDX SBOMs and compare against the prior release.
    • Force MFA + scoped tokens for every publish-capable account.
    • Mirror your internal registry through a hardened proxy that re-validates integrity on every fetch.

    For a deeper dive into broader dependency review culture, see our earlier playbook on why your lockfile lies when you use plain install in CI and the case for failing fast when plugins release unsigned zips. If you are still relying on visual PR review for dependency updates, also read our guide on typosquatted package names sneaking into CI.

    FAQ

    Is package-lock.json integrity enough to stop supply chain attacks?

    No. Integrity hashes only prove the bytes you received. Attackers who control a registry, a maintainer account, or a lifecycle script can still ship malicious code that passes the integrity check. Pair lockfile integrity with provenance, scoped registries, and sandboxed installs.

    Why does npm ci matter for security?

    npm ci refuses to mutate the lockfile and installs the exact tree your team reviewed. npm install can silently re-resolve, update, or rewrite entries, which is the entire point of an integrity bypass. Senior teams default to npm ci on every CI job and gate npm install behind dependency-update PRs.

    Should I disable lifecycle scripts globally?

    Use --ignore-scripts on CI by default, then enable scripts in a sandboxed runner only for the few packages that genuinely need them. This breaks native build packages, so build a small allowlist and keep your supply chain surface tight.

    Make the Lockfile Loud, Not Polite

    Integrity bypass techniques succeed because most teams let the lockfile stay polite: present, occasionally updated, never challenged. The senior engineering move is to make it loud. Lock it, sign it, replay it, and reject drift the moment it shows up.

    If you want more advanced supply chain playbooks, drop into our Google newsletter below. We ship one field-tested CI hardening breakdown every Friday, straight from real incident reviews.

    • Require npm ci with --ignore-scripts in production builds; explicitly allow scripts only in vetted ephemeral runners.
    • Block merges on any unplanned package-lock.json or npm-shrinkwrap.json diff.
    • Pin registry per scope in .npmrc and enforce via egress proxy.
    • Run npm audit signatures on every install; fail builds without provenance.
    • Schedule weekly npm ls --all triage for newly discovered transitive packages.
    • Generate CycloneDX or SPDX SBOMs and compare against the prior release.
    • Force MFA + scoped tokens for every publish-capable account.
    • Mirror your internal registry through a hardened proxy that re-validates integrity on every fetch.

    For a deeper dive into broader dependency review culture, see our earlier playbook on why your lockfile lies when you use plain install in CI and the case for failing fast when plugins release unsigned zips. If you are still relying on visual PR review for dependency updates, also read our guide on typosquatted package names sneaking into CI.

    FAQ

    Is package-lock.json integrity enough to stop supply chain attacks?

    No. Integrity hashes only prove the bytes you received. Attackers who control a registry, a maintainer account, or a lifecycle script can still ship malicious code that passes the integrity check. Pair lockfile integrity with provenance, scoped registries, and sandboxed installs.

    Why does npm ci matter for security?

    npm ci refuses to mutate the lockfile and installs the exact tree your team reviewed. npm install can silently re-resolve, update, or rewrite entries, which is the entire point of an integrity bypass. Senior teams default to npm ci on every CI job and gate npm install behind dependency-update PRs.

    Should I disable lifecycle scripts globally?

    Use --ignore-scripts on CI by default, then enable scripts in a sandboxed runner only for the few packages that genuinely need them. This breaks native build packages, so build a small allowlist and keep your supply chain surface tight.

    Make the Lockfile Loud, Not Polite

    Integrity bypass techniques succeed because most teams let the lockfile stay polite: present, occasionally updated, never challenged. The senior engineering move is to make it loud. Lock it, sign it, replay it, and reject drift the moment it shows up.

    If you want more advanced supply chain playbooks, drop into our Google newsletter below. We ship one field-tested CI hardening breakdown every Friday, straight from real incident reviews.

  • Manifest diff highlighting transitive bumps, especially "major" jumps.
  • Sandbox-driven replay of the resolved tree against a fresh npm ci.
  • ilustrasi grafik dependency yang ditembus oleh attacker melalui lockfile
    Replay is the cheapest way to prove your build still produces the artifact your team reviewed.

    CI Hardening Checklist for Security Architects

    • Require npm ci with --ignore-scripts in production builds; explicitly allow scripts only in vetted ephemeral runners.
    • Block merges on any unplanned package-lock.json or npm-shrinkwrap.json diff.
    • Pin registry per scope in .npmrc and enforce via egress proxy.
    • Run npm audit signatures on every install; fail builds without provenance.
    • Schedule weekly npm ls --all triage for newly discovered transitive packages.
    • Generate CycloneDX or SPDX SBOMs and compare against the prior release.
    • Force MFA + scoped tokens for every publish-capable account.
    • Mirror your internal registry through a hardened proxy that re-validates integrity on every fetch.

    For a deeper dive into broader dependency review culture, see our earlier playbook on why your lockfile lies when you use plain install in CI and the case for failing fast when plugins release unsigned zips. If you are still relying on visual PR review for dependency updates, also read our guide on typosquatted package names sneaking into CI.

    FAQ

    Is package-lock.json integrity enough to stop supply chain attacks?

    No. Integrity hashes only prove the bytes you received. Attackers who control a registry, a maintainer account, or a lifecycle script can still ship malicious code that passes the integrity check. Pair lockfile integrity with provenance, scoped registries, and sandboxed installs.

    Why does npm ci matter for security?

    npm ci refuses to mutate the lockfile and installs the exact tree your team reviewed. npm install can silently re-resolve, update, or rewrite entries, which is the entire point of an integrity bypass. Senior teams default to npm ci on every CI job and gate npm install behind dependency-update PRs.

    Should I disable lifecycle scripts globally?

    Use --ignore-scripts on CI by default, then enable scripts in a sandboxed runner only for the few packages that genuinely need them. This breaks native build packages, so build a small allowlist and keep your supply chain surface tight.

    Make the Lockfile Loud, Not Polite

    Integrity bypass techniques succeed because most teams let the lockfile stay polite: present, occasionally updated, never challenged. The senior engineering move is to make it loud. Lock it, sign it, replay it, and reject drift the moment it shows up.

    If you want more advanced supply chain playbooks, drop into our Google newsletter below. We ship one field-tested CI hardening breakdown every Friday, straight from real incident reviews.

  • Maintainer tenure and repo activity review for new packages.
  • Manifest diff highlighting transitive bumps, especially "major" jumps.
  • Sandbox-driven replay of the resolved tree against a fresh npm ci.
  • ilustrasi grafik dependency yang ditembus oleh attacker melalui lockfile
    Replay is the cheapest way to prove your build still produces the artifact your team reviewed.

    CI Hardening Checklist for Security Architects

    • Require npm ci with --ignore-scripts in production builds; explicitly allow scripts only in vetted ephemeral runners.
    • Block merges on any unplanned package-lock.json or npm-shrinkwrap.json diff.
    • Pin registry per scope in .npmrc and enforce via egress proxy.
    • Run npm audit signatures on every install; fail builds without provenance.
    • Schedule weekly npm ls --all triage for newly discovered transitive packages.
    • Generate CycloneDX or SPDX SBOMs and compare against the prior release.
    • Force MFA + scoped tokens for every publish-capable account.
    • Mirror your internal registry through a hardened proxy that re-validates integrity on every fetch.

    For a deeper dive into broader dependency review culture, see our earlier playbook on why your lockfile lies when you use plain install in CI and the case for failing fast when plugins release unsigned zips. If you are still relying on visual PR review for dependency updates, also read our guide on typosquatted package names sneaking into CI.

    FAQ

    Is package-lock.json integrity enough to stop supply chain attacks?

    No. Integrity hashes only prove the bytes you received. Attackers who control a registry, a maintainer account, or a lifecycle script can still ship malicious code that passes the integrity check. Pair lockfile integrity with provenance, scoped registries, and sandboxed installs.

    Why does npm ci matter for security?

    npm ci refuses to mutate the lockfile and installs the exact tree your team reviewed. npm install can silently re-resolve, update, or rewrite entries, which is the entire point of an integrity bypass. Senior teams default to npm ci on every CI job and gate npm install behind dependency-update PRs.

    Should I disable lifecycle scripts globally?

    Use --ignore-scripts on CI by default, then enable scripts in a sandboxed runner only for the few packages that genuinely need them. This breaks native build packages, so build a small allowlist and keep your supply chain surface tight.

    Make the Lockfile Loud, Not Polite

    Integrity bypass techniques succeed because most teams let the lockfile stay polite: present, occasionally updated, never challenged. The senior engineering move is to make it loud. Lock it, sign it, replay it, and reject drift the moment it shows up.

    If you want more advanced supply chain playbooks, drop into our Google newsletter below. We ship one field-tested CI hardening breakdown every Friday, straight from real incident reviews.

  • Automated npm audit signatures and CVE checks.
  • Maintainer tenure and repo activity review for new packages.
  • Manifest diff highlighting transitive bumps, especially "major" jumps.
  • Sandbox-driven replay of the resolved tree against a fresh npm ci.
  • ilustrasi grafik dependency yang ditembus oleh attacker melalui lockfile
    Replay is the cheapest way to prove your build still produces the artifact your team reviewed.

    CI Hardening Checklist for Security Architects

    • Require npm ci with --ignore-scripts in production builds; explicitly allow scripts only in vetted ephemeral runners.
    • Block merges on any unplanned package-lock.json or npm-shrinkwrap.json diff.
    • Pin registry per scope in .npmrc and enforce via egress proxy.
    • Run npm audit signatures on every install; fail builds without provenance.
    • Schedule weekly npm ls --all triage for newly discovered transitive packages.
    • Generate CycloneDX or SPDX SBOMs and compare against the prior release.
    • Force MFA + scoped tokens for every publish-capable account.
    • Mirror your internal registry through a hardened proxy that re-validates integrity on every fetch.

    For a deeper dive into broader dependency review culture, see our earlier playbook on why your lockfile lies when you use plain install in CI and the case for failing fast when plugins release unsigned zips. If you are still relying on visual PR review for dependency updates, also read our guide on typosquatted package names sneaking into CI.

    FAQ

    Is package-lock.json integrity enough to stop supply chain attacks?

    No. Integrity hashes only prove the bytes you received. Attackers who control a registry, a maintainer account, or a lifecycle script can still ship malicious code that passes the integrity check. Pair lockfile integrity with provenance, scoped registries, and sandboxed installs.

    Why does npm ci matter for security?

    npm ci refuses to mutate the lockfile and installs the exact tree your team reviewed. npm install can silently re-resolve, update, or rewrite entries, which is the entire point of an integrity bypass. Senior teams default to npm ci on every CI job and gate npm install behind dependency-update PRs.

    Should I disable lifecycle scripts globally?

    Use --ignore-scripts on CI by default, then enable scripts in a sandboxed runner only for the few packages that genuinely need them. This breaks native build packages, so build a small allowlist and keep your supply chain surface tight.

    Make the Lockfile Loud, Not Polite

    Integrity bypass techniques succeed because most teams let the lockfile stay polite: present, occasionally updated, never challenged. The senior engineering move is to make it loud. Lock it, sign it, replay it, and reject drift the moment it shows up.

    If you want more advanced supply chain playbooks, drop into our Google newsletter below. We ship one field-tested CI hardening breakdown every Friday, straight from real incident reviews.

    • Automated npm audit signatures and CVE checks.
    • Maintainer tenure and repo activity review for new packages.
    • Manifest diff highlighting transitive bumps, especially "major" jumps.
    • Sandbox-driven replay of the resolved tree against a fresh npm ci.
    ilustrasi grafik dependency yang ditembus oleh attacker melalui lockfile
    Replay is the cheapest way to prove your build still produces the artifact your team reviewed.

    CI Hardening Checklist for Security Architects

    • Require npm ci with --ignore-scripts in production builds; explicitly allow scripts only in vetted ephemeral runners.
    • Block merges on any unplanned package-lock.json or npm-shrinkwrap.json diff.
    • Pin registry per scope in .npmrc and enforce via egress proxy.
    • Run npm audit signatures on every install; fail builds without provenance.
    • Schedule weekly npm ls --all triage for newly discovered transitive packages.
    • Generate CycloneDX or SPDX SBOMs and compare against the prior release.
    • Force MFA + scoped tokens for every publish-capable account.
    • Mirror your internal registry through a hardened proxy that re-validates integrity on every fetch.

    For a deeper dive into broader dependency review culture, see our earlier playbook on why your lockfile lies when you use plain install in CI and the case for failing fast when plugins release unsigned zips. If you are still relying on visual PR review for dependency updates, also read our guide on typosquatted package names sneaking into CI.

    FAQ

    Is package-lock.json integrity enough to stop supply chain attacks?

    No. Integrity hashes only prove the bytes you received. Attackers who control a registry, a maintainer account, or a lifecycle script can still ship malicious code that passes the integrity check. Pair lockfile integrity with provenance, scoped registries, and sandboxed installs.

    Why does npm ci matter for security?

    npm ci refuses to mutate the lockfile and installs the exact tree your team reviewed. npm install can silently re-resolve, update, or rewrite entries, which is the entire point of an integrity bypass. Senior teams default to npm ci on every CI job and gate npm install behind dependency-update PRs.

    Should I disable lifecycle scripts globally?

    Use --ignore-scripts on CI by default, then enable scripts in a sandboxed runner only for the few packages that genuinely need them. This breaks native build packages, so build a small allowlist and keep your supply chain surface tight.

    Make the Lockfile Loud, Not Polite

    Integrity bypass techniques succeed because most teams let the lockfile stay polite: present, occasionally updated, never challenged. The senior engineering move is to make it loud. Lock it, sign it, replay it, and reject drift the moment it shows up.

    If you want more advanced supply chain playbooks, drop into our Google newsletter below. We ship one field-tested CI hardening breakdown every Friday, straight from real incident reviews.

    • Automated npm audit signatures and CVE checks.
    • Maintainer tenure and repo activity review for new packages.
    • Manifest diff highlighting transitive bumps, especially "major" jumps.
    • Sandbox-driven replay of the resolved tree against a fresh npm ci.
    ilustrasi grafik dependency yang ditembus oleh attacker melalui lockfile
    Replay is the cheapest way to prove your build still produces the artifact your team reviewed.

    CI Hardening Checklist for Security Architects

    • Require npm ci with --ignore-scripts in production builds; explicitly allow scripts only in vetted ephemeral runners.
    • Block merges on any unplanned package-lock.json or npm-shrinkwrap.json diff.
    • Pin registry per scope in .npmrc and enforce via egress proxy.
    • Run npm audit signatures on every install; fail builds without provenance.
    • Schedule weekly npm ls --all triage for newly discovered transitive packages.
    • Generate CycloneDX or SPDX SBOMs and compare against the prior release.
    • Force MFA + scoped tokens for every publish-capable account.
    • Mirror your internal registry through a hardened proxy that re-validates integrity on every fetch.

    For a deeper dive into broader dependency review culture, see our earlier playbook on why your lockfile lies when you use plain install in CI and the case for failing fast when plugins release unsigned zips. If you are still relying on visual PR review for dependency updates, also read our guide on typosquatted package names sneaking into CI.

    FAQ

    Is package-lock.json integrity enough to stop supply chain attacks?

    No. Integrity hashes only prove the bytes you received. Attackers who control a registry, a maintainer account, or a lifecycle script can still ship malicious code that passes the integrity check. Pair lockfile integrity with provenance, scoped registries, and sandboxed installs.

    Why does npm ci matter for security?

    npm ci refuses to mutate the lockfile and installs the exact tree your team reviewed. npm install can silently re-resolve, update, or rewrite entries, which is the entire point of an integrity bypass. Senior teams default to npm ci on every CI job and gate npm install behind dependency-update PRs.

    Should I disable lifecycle scripts globally?

    Use --ignore-scripts on CI by default, then enable scripts in a sandboxed runner only for the few packages that genuinely need them. This breaks native build packages, so build a small allowlist and keep your supply chain surface tight.

    Make the Lockfile Loud, Not Polite

    Integrity bypass techniques succeed because most teams let the lockfile stay polite: present, occasionally updated, never challenged. The senior engineering move is to make it loud. Lock it, sign it, replay it, and reject drift the moment it shows up.

    If you want more advanced supply chain playbooks, drop into our Google newsletter below. We ship one field-tested CI hardening breakdown every Friday, straight from real incident reviews.

  • Resolution drift: letting npm install silently re-resolve semver ranges when the lockfile drifts out of sync with package.json.
  • Local cache poisoning: priming an attacker-controlled tarball into the global cache so the resolved “same” integrity actually pulls new bytes.
  • diagram alur serangan package-lock.json integrity bypass pada pipeline CI
    Integrity bypass rarely breaks the lockfile format. It bends the trust assumptions around it.

    Five Real-World Bypass Techniques Senior Engineers Keep Missing

    These are not theoretical. Each one shows up in post-mortems from teams running serious CI at scale.

    1. npm install Where npm ci Should Run

    Every senior engineer has typed this. The problem? npm install mutates the lockfile if it disagrees with package.json, and it does not always fail loudly. An attacker who can nudge a dependency's published semver range still walks in through a routine install step.

    # Safer baseline for CI
    npm ci --ignore-scripts
    # Disallow lockfile mutation post-install
    git diff --exit-code package-lock.json

    2. Re-Resolution via Private Registries Misconfiguration

    package-lock.json integrity hashes are scoped-by-registry, but only when the URL stays identical. Flip a package to a scoped mirror with a different host, and npm will happily compute a new integrity key against the new URL. Same package name, same version, different bytes.

    Mitigation: pin registry per scope in .npmrc, deny unknown registries at egress, and artifact-sign resolutions with tools like npm audit signatures and Sigstore.

    3. Tampering via npm-shrinkwrap.json Override

    When npm-shrinkwrap.json lives alongside package-lock.json, npm silently prefers the shrinkwrap. An attacker with write access to a feature branch can land a shrinkwrap-only change that overrides the reviewed lockfile. The PR diff looks tiny. The resolved graph is not.

    4. Lifecycle Script Execution Before Integrity Check

    Most installers run preinstall scripts before they validate a resolved tarball against its announced integrity hash. A malicious dependency can race the install, drop a backdoor into node_modules, or rewrite build outputs cached for CI. Disabling lifecycle scripts breaks popular packages, so the better move is to require sandboxed installs (Docker, ephemeral runners, Firejail, Bubblewrap).

    contoh kode commit lockfile yang rentan terhadap bypass pada npm
    A 12-line lockfile diff can hide a transitive rewrite. Treat every change like a code change.

    5. Hash Collisions in Nested Dependency Trees

    Even when injected packages deliver the announced integrity hash, the practical contract is the bytes served by the registry on that day. A nested dependency with a compromised maintainer account can ship identical hashes for different content while the lockfile proves precisely nothing. Cross-package signing (npm provenance, Sigstore, in-toto attestations) is the only durable defense.

    contoh perbandingan integritas hash lockfile sebelum dan sesudah tampering
    An integrity hash only proves the bytes you received, not the bytes the maintainer intended to publish.

    The Lockfile Contract Framework: Freeze, Attest, Replay

    Here is the framework I use when auditing CI for senior engineering teams. It is not a checklist. It is a contract.

    Freeze: Treat the Lockfile as Immutable

    CI must refuse installs that would mutate the lockfile. Tools like oss-review-toolkit and npm's own install-strategy=nested help you detect drift early. Pair this with a package-lock.json hash stored outside the repo as build-time evidence.

    Attest: Require Signed Provenance on Every Dependency

    Lockfile integrity answers “did the bytes match?” Provenance answers “who published them, from what commit, through what pipeline?” Adopt npm provenance, Sigstore, or in-toto for any dependency that gates production. If a package cannot prove itself, it does not enter your build.

    Replay: Diff, Audit, Block

    Every lockfile PR should trigger:

    • Automated npm audit signatures and CVE checks.
    • Maintainer tenure and repo activity review for new packages.
    • Manifest diff highlighting transitive bumps, especially "major" jumps.
    • Sandbox-driven replay of the resolved tree against a fresh npm ci.
    ilustrasi grafik dependency yang ditembus oleh attacker melalui lockfile
    Replay is the cheapest way to prove your build still produces the artifact your team reviewed.

    CI Hardening Checklist for Security Architects

    • Require npm ci with --ignore-scripts in production builds; explicitly allow scripts only in vetted ephemeral runners.
    • Block merges on any unplanned package-lock.json or npm-shrinkwrap.json diff.
    • Pin registry per scope in .npmrc and enforce via egress proxy.
    • Run npm audit signatures on every install; fail builds without provenance.
    • Schedule weekly npm ls --all triage for newly discovered transitive packages.
    • Generate CycloneDX or SPDX SBOMs and compare against the prior release.
    • Force MFA + scoped tokens for every publish-capable account.
    • Mirror your internal registry through a hardened proxy that re-validates integrity on every fetch.

    For a deeper dive into broader dependency review culture, see our earlier playbook on why your lockfile lies when you use plain install in CI and the case for failing fast when plugins release unsigned zips. If you are still relying on visual PR review for dependency updates, also read our guide on typosquatted package names sneaking into CI.

    FAQ

    Is package-lock.json integrity enough to stop supply chain attacks?

    No. Integrity hashes only prove the bytes you received. Attackers who control a registry, a maintainer account, or a lifecycle script can still ship malicious code that passes the integrity check. Pair lockfile integrity with provenance, scoped registries, and sandboxed installs.

    Why does npm ci matter for security?

    npm ci refuses to mutate the lockfile and installs the exact tree your team reviewed. npm install can silently re-resolve, update, or rewrite entries, which is the entire point of an integrity bypass. Senior teams default to npm ci on every CI job and gate npm install behind dependency-update PRs.

    Should I disable lifecycle scripts globally?

    Use --ignore-scripts on CI by default, then enable scripts in a sandboxed runner only for the few packages that genuinely need them. This breaks native build packages, so build a small allowlist and keep your supply chain surface tight.

    Make the Lockfile Loud, Not Polite

    Integrity bypass techniques succeed because most teams let the lockfile stay polite: present, occasionally updated, never challenged. The senior engineering move is to make it loud. Lock it, sign it, replay it, and reject drift the moment it shows up.

    If you want more advanced supply chain playbooks, drop into our Google newsletter below. We ship one field-tested CI hardening breakdown every Friday, straight from real incident reviews.

  • Lifecycle script hijack: replaying preinstall, postinstall, or install hooks that mutate the dependency tree before integrity is checked.
  • Resolution drift: letting npm install silently re-resolve semver ranges when the lockfile drifts out of sync with package.json.
  • Local cache poisoning: priming an attacker-controlled tarball into the global cache so the resolved “same” integrity actually pulls new bytes.
  • diagram alur serangan package-lock.json integrity bypass pada pipeline CI
    Integrity bypass rarely breaks the lockfile format. It bends the trust assumptions around it.

    Five Real-World Bypass Techniques Senior Engineers Keep Missing

    These are not theoretical. Each one shows up in post-mortems from teams running serious CI at scale.

    1. npm install Where npm ci Should Run

    Every senior engineer has typed this. The problem? npm install mutates the lockfile if it disagrees with package.json, and it does not always fail loudly. An attacker who can nudge a dependency's published semver range still walks in through a routine install step.

    # Safer baseline for CI
    npm ci --ignore-scripts
    # Disallow lockfile mutation post-install
    git diff --exit-code package-lock.json

    2. Re-Resolution via Private Registries Misconfiguration

    package-lock.json integrity hashes are scoped-by-registry, but only when the URL stays identical. Flip a package to a scoped mirror with a different host, and npm will happily compute a new integrity key against the new URL. Same package name, same version, different bytes.

    Mitigation: pin registry per scope in .npmrc, deny unknown registries at egress, and artifact-sign resolutions with tools like npm audit signatures and Sigstore.

    3. Tampering via npm-shrinkwrap.json Override

    When npm-shrinkwrap.json lives alongside package-lock.json, npm silently prefers the shrinkwrap. An attacker with write access to a feature branch can land a shrinkwrap-only change that overrides the reviewed lockfile. The PR diff looks tiny. The resolved graph is not.

    4. Lifecycle Script Execution Before Integrity Check

    Most installers run preinstall scripts before they validate a resolved tarball against its announced integrity hash. A malicious dependency can race the install, drop a backdoor into node_modules, or rewrite build outputs cached for CI. Disabling lifecycle scripts breaks popular packages, so the better move is to require sandboxed installs (Docker, ephemeral runners, Firejail, Bubblewrap).

    contoh kode commit lockfile yang rentan terhadap bypass pada npm
    A 12-line lockfile diff can hide a transitive rewrite. Treat every change like a code change.

    5. Hash Collisions in Nested Dependency Trees

    Even when injected packages deliver the announced integrity hash, the practical contract is the bytes served by the registry on that day. A nested dependency with a compromised maintainer account can ship identical hashes for different content while the lockfile proves precisely nothing. Cross-package signing (npm provenance, Sigstore, in-toto attestations) is the only durable defense.

    contoh perbandingan integritas hash lockfile sebelum dan sesudah tampering
    An integrity hash only proves the bytes you received, not the bytes the maintainer intended to publish.

    The Lockfile Contract Framework: Freeze, Attest, Replay

    Here is the framework I use when auditing CI for senior engineering teams. It is not a checklist. It is a contract.

    Freeze: Treat the Lockfile as Immutable

    CI must refuse installs that would mutate the lockfile. Tools like oss-review-toolkit and npm's own install-strategy=nested help you detect drift early. Pair this with a package-lock.json hash stored outside the repo as build-time evidence.

    Attest: Require Signed Provenance on Every Dependency

    Lockfile integrity answers “did the bytes match?” Provenance answers “who published them, from what commit, through what pipeline?” Adopt npm provenance, Sigstore, or in-toto for any dependency that gates production. If a package cannot prove itself, it does not enter your build.

    Replay: Diff, Audit, Block

    Every lockfile PR should trigger:

    • Automated npm audit signatures and CVE checks.
    • Maintainer tenure and repo activity review for new packages.
    • Manifest diff highlighting transitive bumps, especially "major" jumps.
    • Sandbox-driven replay of the resolved tree against a fresh npm ci.
    ilustrasi grafik dependency yang ditembus oleh attacker melalui lockfile
    Replay is the cheapest way to prove your build still produces the artifact your team reviewed.

    CI Hardening Checklist for Security Architects

    • Require npm ci with --ignore-scripts in production builds; explicitly allow scripts only in vetted ephemeral runners.
    • Block merges on any unplanned package-lock.json or npm-shrinkwrap.json diff.
    • Pin registry per scope in .npmrc and enforce via egress proxy.
    • Run npm audit signatures on every install; fail builds without provenance.
    • Schedule weekly npm ls --all triage for newly discovered transitive packages.
    • Generate CycloneDX or SPDX SBOMs and compare against the prior release.
    • Force MFA + scoped tokens for every publish-capable account.
    • Mirror your internal registry through a hardened proxy that re-validates integrity on every fetch.

    For a deeper dive into broader dependency review culture, see our earlier playbook on why your lockfile lies when you use plain install in CI and the case for failing fast when plugins release unsigned zips. If you are still relying on visual PR review for dependency updates, also read our guide on typosquatted package names sneaking into CI.

    FAQ

    Is package-lock.json integrity enough to stop supply chain attacks?

    No. Integrity hashes only prove the bytes you received. Attackers who control a registry, a maintainer account, or a lifecycle script can still ship malicious code that passes the integrity check. Pair lockfile integrity with provenance, scoped registries, and sandboxed installs.

    Why does npm ci matter for security?

    npm ci refuses to mutate the lockfile and installs the exact tree your team reviewed. npm install can silently re-resolve, update, or rewrite entries, which is the entire point of an integrity bypass. Senior teams default to npm ci on every CI job and gate npm install behind dependency-update PRs.

    Should I disable lifecycle scripts globally?

    Use --ignore-scripts on CI by default, then enable scripts in a sandboxed runner only for the few packages that genuinely need them. This breaks native build packages, so build a small allowlist and keep your supply chain surface tight.

    Make the Lockfile Loud, Not Polite

    Integrity bypass techniques succeed because most teams let the lockfile stay polite: present, occasionally updated, never challenged. The senior engineering move is to make it loud. Lock it, sign it, replay it, and reject drift the moment it shows up.

    If you want more advanced supply chain playbooks, drop into our Google newsletter below. We ship one field-tested CI hardening breakdown every Friday, straight from real incident reviews.

  • Lifecycle script hijack: replaying preinstall, postinstall, or install hooks that mutate the dependency tree before integrity is checked.
  • Resolution drift: letting npm install silently re-resolve semver ranges when the lockfile drifts out of sync with package.json.
  • Local cache poisoning: priming an attacker-controlled tarball into the global cache so the resolved “same” integrity actually pulls new bytes.
  • diagram alur serangan package-lock.json integrity bypass pada pipeline CI
    Integrity bypass rarely breaks the lockfile format. It bends the trust assumptions around it.

    Five Real-World Bypass Techniques Senior Engineers Keep Missing

    These are not theoretical. Each one shows up in post-mortems from teams running serious CI at scale.

    1. npm install Where npm ci Should Run

    Every senior engineer has typed this. The problem? npm install mutates the lockfile if it disagrees with package.json, and it does not always fail loudly. An attacker who can nudge a dependency's published semver range still walks in through a routine install step.

    # Safer baseline for CI
    npm ci --ignore-scripts
    # Disallow lockfile mutation post-install
    git diff --exit-code package-lock.json

    2. Re-Resolution via Private Registries Misconfiguration

    package-lock.json integrity hashes are scoped-by-registry, but only when the URL stays identical. Flip a package to a scoped mirror with a different host, and npm will happily compute a new integrity key against the new URL. Same package name, same version, different bytes.

    Mitigation: pin registry per scope in .npmrc, deny unknown registries at egress, and artifact-sign resolutions with tools like npm audit signatures and Sigstore.

    3. Tampering via npm-shrinkwrap.json Override

    When npm-shrinkwrap.json lives alongside package-lock.json, npm silently prefers the shrinkwrap. An attacker with write access to a feature branch can land a shrinkwrap-only change that overrides the reviewed lockfile. The PR diff looks tiny. The resolved graph is not.

    4. Lifecycle Script Execution Before Integrity Check

    Most installers run preinstall scripts before they validate a resolved tarball against its announced integrity hash. A malicious dependency can race the install, drop a backdoor into node_modules, or rewrite build outputs cached for CI. Disabling lifecycle scripts breaks popular packages, so the better move is to require sandboxed installs (Docker, ephemeral runners, Firejail, Bubblewrap).

    contoh kode commit lockfile yang rentan terhadap bypass pada npm
    A 12-line lockfile diff can hide a transitive rewrite. Treat every change like a code change.

    5. Hash Collisions in Nested Dependency Trees

    Even when injected packages deliver the announced integrity hash, the practical contract is the bytes served by the registry on that day. A nested dependency with a compromised maintainer account can ship identical hashes for different content while the lockfile proves precisely nothing. Cross-package signing (npm provenance, Sigstore, in-toto attestations) is the only durable defense.

    contoh perbandingan integritas hash lockfile sebelum dan sesudah tampering
    An integrity hash only proves the bytes you received, not the bytes the maintainer intended to publish.

    The Lockfile Contract Framework: Freeze, Attest, Replay

    Here is the framework I use when auditing CI for senior engineering teams. It is not a checklist. It is a contract.

    Freeze: Treat the Lockfile as Immutable

    CI must refuse installs that would mutate the lockfile. Tools like oss-review-toolkit and npm's own install-strategy=nested help you detect drift early. Pair this with a package-lock.json hash stored outside the repo as build-time evidence.

    Attest: Require Signed Provenance on Every Dependency

    Lockfile integrity answers “did the bytes match?” Provenance answers “who published them, from what commit, through what pipeline?” Adopt npm provenance, Sigstore, or in-toto for any dependency that gates production. If a package cannot prove itself, it does not enter your build.

    Replay: Diff, Audit, Block

    Every lockfile PR should trigger:

    • Automated npm audit signatures and CVE checks.
    • Maintainer tenure and repo activity review for new packages.
    • Manifest diff highlighting transitive bumps, especially "major" jumps.
    • Sandbox-driven replay of the resolved tree against a fresh npm ci.
    ilustrasi grafik dependency yang ditembus oleh attacker melalui lockfile
    Replay is the cheapest way to prove your build still produces the artifact your team reviewed.

    CI Hardening Checklist for Security Architects

    • Require npm ci with --ignore-scripts in production builds; explicitly allow scripts only in vetted ephemeral runners.
    • Block merges on any unplanned package-lock.json or npm-shrinkwrap.json diff.
    • Pin registry per scope in .npmrc and enforce via egress proxy.
    • Run npm audit signatures on every install; fail builds without provenance.
    • Schedule weekly npm ls --all triage for newly discovered transitive packages.
    • Generate CycloneDX or SPDX SBOMs and compare against the prior release.
    • Force MFA + scoped tokens for every publish-capable account.
    • Mirror your internal registry through a hardened proxy that re-validates integrity on every fetch.

    For a deeper dive into broader dependency review culture, see our earlier playbook on why your lockfile lies when you use plain install in CI and the case for failing fast when plugins release unsigned zips. If you are still relying on visual PR review for dependency updates, also read our guide on typosquatted package names sneaking into CI.

    FAQ

    Is package-lock.json integrity enough to stop supply chain attacks?

    No. Integrity hashes only prove the bytes you received. Attackers who control a registry, a maintainer account, or a lifecycle script can still ship malicious code that passes the integrity check. Pair lockfile integrity with provenance, scoped registries, and sandboxed installs.

    Why does npm ci matter for security?

    npm ci refuses to mutate the lockfile and installs the exact tree your team reviewed. npm install can silently re-resolve, update, or rewrite entries, which is the entire point of an integrity bypass. Senior teams default to npm ci on every CI job and gate npm install behind dependency-update PRs.

    Should I disable lifecycle scripts globally?

    Use --ignore-scripts on CI by default, then enable scripts in a sandboxed runner only for the few packages that genuinely need them. This breaks native build packages, so build a small allowlist and keep your supply chain surface tight.

    Make the Lockfile Loud, Not Polite

    Integrity bypass techniques succeed because most teams let the lockfile stay polite: present, occasionally updated, never challenged. The senior engineering move is to make it loud. Lock it, sign it, replay it, and reject drift the moment it shows up.

    If you want more advanced supply chain playbooks, drop into our Google newsletter below. We ship one field-tested CI hardening breakdown every Friday, straight from real incident reviews.

  • Registry confusion: pulling a different artifact from a mirrored or scoped registry while keeping the same version + integrity key on paper.
  • Lifecycle script hijack: replaying preinstall, postinstall, or install hooks that mutate the dependency tree before integrity is checked.
  • Resolution drift: letting npm install silently re-resolve semver ranges when the lockfile drifts out of sync with package.json.
  • Local cache poisoning: priming an attacker-controlled tarball into the global cache so the resolved “same” integrity actually pulls new bytes.
  • diagram alur serangan package-lock.json integrity bypass pada pipeline CI
    Integrity bypass rarely breaks the lockfile format. It bends the trust assumptions around it.

    Five Real-World Bypass Techniques Senior Engineers Keep Missing

    These are not theoretical. Each one shows up in post-mortems from teams running serious CI at scale.

    1. npm install Where npm ci Should Run

    Every senior engineer has typed this. The problem? npm install mutates the lockfile if it disagrees with package.json, and it does not always fail loudly. An attacker who can nudge a dependency's published semver range still walks in through a routine install step.

    # Safer baseline for CI
    npm ci --ignore-scripts
    # Disallow lockfile mutation post-install
    git diff --exit-code package-lock.json

    2. Re-Resolution via Private Registries Misconfiguration

    package-lock.json integrity hashes are scoped-by-registry, but only when the URL stays identical. Flip a package to a scoped mirror with a different host, and npm will happily compute a new integrity key against the new URL. Same package name, same version, different bytes.

    Mitigation: pin registry per scope in .npmrc, deny unknown registries at egress, and artifact-sign resolutions with tools like npm audit signatures and Sigstore.

    3. Tampering via npm-shrinkwrap.json Override

    When npm-shrinkwrap.json lives alongside package-lock.json, npm silently prefers the shrinkwrap. An attacker with write access to a feature branch can land a shrinkwrap-only change that overrides the reviewed lockfile. The PR diff looks tiny. The resolved graph is not.

    4. Lifecycle Script Execution Before Integrity Check

    Most installers run preinstall scripts before they validate a resolved tarball against its announced integrity hash. A malicious dependency can race the install, drop a backdoor into node_modules, or rewrite build outputs cached for CI. Disabling lifecycle scripts breaks popular packages, so the better move is to require sandboxed installs (Docker, ephemeral runners, Firejail, Bubblewrap).

    contoh kode commit lockfile yang rentan terhadap bypass pada npm
    A 12-line lockfile diff can hide a transitive rewrite. Treat every change like a code change.

    5. Hash Collisions in Nested Dependency Trees

    Even when injected packages deliver the announced integrity hash, the practical contract is the bytes served by the registry on that day. A nested dependency with a compromised maintainer account can ship identical hashes for different content while the lockfile proves precisely nothing. Cross-package signing (npm provenance, Sigstore, in-toto attestations) is the only durable defense.

    contoh perbandingan integritas hash lockfile sebelum dan sesudah tampering
    An integrity hash only proves the bytes you received, not the bytes the maintainer intended to publish.

    The Lockfile Contract Framework: Freeze, Attest, Replay

    Here is the framework I use when auditing CI for senior engineering teams. It is not a checklist. It is a contract.

    Freeze: Treat the Lockfile as Immutable

    CI must refuse installs that would mutate the lockfile. Tools like oss-review-toolkit and npm's own install-strategy=nested help you detect drift early. Pair this with a package-lock.json hash stored outside the repo as build-time evidence.

    Attest: Require Signed Provenance on Every Dependency

    Lockfile integrity answers “did the bytes match?” Provenance answers “who published them, from what commit, through what pipeline?” Adopt npm provenance, Sigstore, or in-toto for any dependency that gates production. If a package cannot prove itself, it does not enter your build.

    Replay: Diff, Audit, Block

    Every lockfile PR should trigger:

    • Automated npm audit signatures and CVE checks.
    • Maintainer tenure and repo activity review for new packages.
    • Manifest diff highlighting transitive bumps, especially "major" jumps.
    • Sandbox-driven replay of the resolved tree against a fresh npm ci.
    ilustrasi grafik dependency yang ditembus oleh attacker melalui lockfile
    Replay is the cheapest way to prove your build still produces the artifact your team reviewed.

    CI Hardening Checklist for Security Architects

    • Require npm ci with --ignore-scripts in production builds; explicitly allow scripts only in vetted ephemeral runners.
    • Block merges on any unplanned package-lock.json or npm-shrinkwrap.json diff.
    • Pin registry per scope in .npmrc and enforce via egress proxy.
    • Run npm audit signatures on every install; fail builds without provenance.
    • Schedule weekly npm ls --all triage for newly discovered transitive packages.
    • Generate CycloneDX or SPDX SBOMs and compare against the prior release.
    • Force MFA + scoped tokens for every publish-capable account.
    • Mirror your internal registry through a hardened proxy that re-validates integrity on every fetch.

    For a deeper dive into broader dependency review culture, see our earlier playbook on why your lockfile lies when you use plain install in CI and the case for failing fast when plugins release unsigned zips. If you are still relying on visual PR review for dependency updates, also read our guide on typosquatted package names sneaking into CI.

    FAQ

    Is package-lock.json integrity enough to stop supply chain attacks?

    No. Integrity hashes only prove the bytes you received. Attackers who control a registry, a maintainer account, or a lifecycle script can still ship malicious code that passes the integrity check. Pair lockfile integrity with provenance, scoped registries, and sandboxed installs.

    Why does npm ci matter for security?

    npm ci refuses to mutate the lockfile and installs the exact tree your team reviewed. npm install can silently re-resolve, update, or rewrite entries, which is the entire point of an integrity bypass. Senior teams default to npm ci on every CI job and gate npm install behind dependency-update PRs.

    Should I disable lifecycle scripts globally?

    Use --ignore-scripts on CI by default, then enable scripts in a sandboxed runner only for the few packages that genuinely need them. This breaks native build packages, so build a small allowlist and keep your supply chain surface tight.

    Make the Lockfile Loud, Not Polite

    Integrity bypass techniques succeed because most teams let the lockfile stay polite: present, occasionally updated, never challenged. The senior engineering move is to make it loud. Lock it, sign it, replay it, and reject drift the moment it shows up.

    If you want more advanced supply chain playbooks, drop into our Google newsletter below. We ship one field-tested CI hardening breakdown every Friday, straight from real incident reviews.

    • Registry confusion: pulling a different artifact from a mirrored or scoped registry while keeping the same version + integrity key on paper.
    • Lifecycle script hijack: replaying preinstall, postinstall, or install hooks that mutate the dependency tree before integrity is checked.
    • Resolution drift: letting npm install silently re-resolve semver ranges when the lockfile drifts out of sync with package.json.
    • Local cache poisoning: priming an attacker-controlled tarball into the global cache so the resolved “same” integrity actually pulls new bytes.
    diagram alur serangan package-lock.json integrity bypass pada pipeline CI
    Integrity bypass rarely breaks the lockfile format. It bends the trust assumptions around it.

    Five Real-World Bypass Techniques Senior Engineers Keep Missing

    These are not theoretical. Each one shows up in post-mortems from teams running serious CI at scale.

    1. npm install Where npm ci Should Run

    Every senior engineer has typed this. The problem? npm install mutates the lockfile if it disagrees with package.json, and it does not always fail loudly. An attacker who can nudge a dependency's published semver range still walks in through a routine install step.

    # Safer baseline for CI
    npm ci --ignore-scripts
    # Disallow lockfile mutation post-install
    git diff --exit-code package-lock.json

    2. Re-Resolution via Private Registries Misconfiguration

    package-lock.json integrity hashes are scoped-by-registry, but only when the URL stays identical. Flip a package to a scoped mirror with a different host, and npm will happily compute a new integrity key against the new URL. Same package name, same version, different bytes.

    Mitigation: pin registry per scope in .npmrc, deny unknown registries at egress, and artifact-sign resolutions with tools like npm audit signatures and Sigstore.

    3. Tampering via npm-shrinkwrap.json Override

    When npm-shrinkwrap.json lives alongside package-lock.json, npm silently prefers the shrinkwrap. An attacker with write access to a feature branch can land a shrinkwrap-only change that overrides the reviewed lockfile. The PR diff looks tiny. The resolved graph is not.

    4. Lifecycle Script Execution Before Integrity Check

    Most installers run preinstall scripts before they validate a resolved tarball against its announced integrity hash. A malicious dependency can race the install, drop a backdoor into node_modules, or rewrite build outputs cached for CI. Disabling lifecycle scripts breaks popular packages, so the better move is to require sandboxed installs (Docker, ephemeral runners, Firejail, Bubblewrap).

    contoh kode commit lockfile yang rentan terhadap bypass pada npm
    A 12-line lockfile diff can hide a transitive rewrite. Treat every change like a code change.

    5. Hash Collisions in Nested Dependency Trees

    Even when injected packages deliver the announced integrity hash, the practical contract is the bytes served by the registry on that day. A nested dependency with a compromised maintainer account can ship identical hashes for different content while the lockfile proves precisely nothing. Cross-package signing (npm provenance, Sigstore, in-toto attestations) is the only durable defense.

    contoh perbandingan integritas hash lockfile sebelum dan sesudah tampering
    An integrity hash only proves the bytes you received, not the bytes the maintainer intended to publish.

    The Lockfile Contract Framework: Freeze, Attest, Replay

    Here is the framework I use when auditing CI for senior engineering teams. It is not a checklist. It is a contract.

    Freeze: Treat the Lockfile as Immutable

    CI must refuse installs that would mutate the lockfile. Tools like oss-review-toolkit and npm's own install-strategy=nested help you detect drift early. Pair this with a package-lock.json hash stored outside the repo as build-time evidence.

    Attest: Require Signed Provenance on Every Dependency

    Lockfile integrity answers “did the bytes match?” Provenance answers “who published them, from what commit, through what pipeline?” Adopt npm provenance, Sigstore, or in-toto for any dependency that gates production. If a package cannot prove itself, it does not enter your build.

    Replay: Diff, Audit, Block

    Every lockfile PR should trigger:

    • Automated npm audit signatures and CVE checks.
    • Maintainer tenure and repo activity review for new packages.
    • Manifest diff highlighting transitive bumps, especially "major" jumps.
    • Sandbox-driven replay of the resolved tree against a fresh npm ci.
    ilustrasi grafik dependency yang ditembus oleh attacker melalui lockfile
    Replay is the cheapest way to prove your build still produces the artifact your team reviewed.

    CI Hardening Checklist for Security Architects

    • Require npm ci with --ignore-scripts in production builds; explicitly allow scripts only in vetted ephemeral runners.
    • Block merges on any unplanned package-lock.json or npm-shrinkwrap.json diff.
    • Pin registry per scope in .npmrc and enforce via egress proxy.
    • Run npm audit signatures on every install; fail builds without provenance.
    • Schedule weekly npm ls --all triage for newly discovered transitive packages.
    • Generate CycloneDX or SPDX SBOMs and compare against the prior release.
    • Force MFA + scoped tokens for every publish-capable account.
    • Mirror your internal registry through a hardened proxy that re-validates integrity on every fetch.

    For a deeper dive into broader dependency review culture, see our earlier playbook on why your lockfile lies when you use plain install in CI and the case for failing fast when plugins release unsigned zips. If you are still relying on visual PR review for dependency updates, also read our guide on typosquatted package names sneaking into CI.

    FAQ

    Is package-lock.json integrity enough to stop supply chain attacks?

    No. Integrity hashes only prove the bytes you received. Attackers who control a registry, a maintainer account, or a lifecycle script can still ship malicious code that passes the integrity check. Pair lockfile integrity with provenance, scoped registries, and sandboxed installs.

    Why does npm ci matter for security?

    npm ci refuses to mutate the lockfile and installs the exact tree your team reviewed. npm install can silently re-resolve, update, or rewrite entries, which is the entire point of an integrity bypass. Senior teams default to npm ci on every CI job and gate npm install behind dependency-update PRs.

    Should I disable lifecycle scripts globally?

    Use --ignore-scripts on CI by default, then enable scripts in a sandboxed runner only for the few packages that genuinely need them. This breaks native build packages, so build a small allowlist and keep your supply chain surface tight.

    Make the Lockfile Loud, Not Polite

    Integrity bypass techniques succeed because most teams let the lockfile stay polite: present, occasionally updated, never challenged. The senior engineering move is to make it loud. Lock it, sign it, replay it, and reject drift the moment it shows up.

    If you want more advanced supply chain playbooks, drop into our Google newsletter below. We ship one field-tested CI hardening breakdown every Friday, straight from real incident reviews.

    • Registry confusion: pulling a different artifact from a mirrored or scoped registry while keeping the same version + integrity key on paper.
    • Lifecycle script hijack: replaying preinstall, postinstall, or install hooks that mutate the dependency tree before integrity is checked.
    • Resolution drift: letting npm install silently re-resolve semver ranges when the lockfile drifts out of sync with package.json.
    • Local cache poisoning: priming an attacker-controlled tarball into the global cache so the resolved “same” integrity actually pulls new bytes.
    diagram alur serangan package-lock.json integrity bypass pada pipeline CI
    Integrity bypass rarely breaks the lockfile format. It bends the trust assumptions around it.

    Five Real-World Bypass Techniques Senior Engineers Keep Missing

    These are not theoretical. Each one shows up in post-mortems from teams running serious CI at scale.

    1. npm install Where npm ci Should Run

    Every senior engineer has typed this. The problem? npm install mutates the lockfile if it disagrees with package.json, and it does not always fail loudly. An attacker who can nudge a dependency's published semver range still walks in through a routine install step.

    # Safer baseline for CI
    npm ci --ignore-scripts
    # Disallow lockfile mutation post-install
    git diff --exit-code package-lock.json

    2. Re-Resolution via Private Registries Misconfiguration

    package-lock.json integrity hashes are scoped-by-registry, but only when the URL stays identical. Flip a package to a scoped mirror with a different host, and npm will happily compute a new integrity key against the new URL. Same package name, same version, different bytes.

    Mitigation: pin registry per scope in .npmrc, deny unknown registries at egress, and artifact-sign resolutions with tools like npm audit signatures and Sigstore.

    3. Tampering via npm-shrinkwrap.json Override

    When npm-shrinkwrap.json lives alongside package-lock.json, npm silently prefers the shrinkwrap. An attacker with write access to a feature branch can land a shrinkwrap-only change that overrides the reviewed lockfile. The PR diff looks tiny. The resolved graph is not.

    4. Lifecycle Script Execution Before Integrity Check

    Most installers run preinstall scripts before they validate a resolved tarball against its announced integrity hash. A malicious dependency can race the install, drop a backdoor into node_modules, or rewrite build outputs cached for CI. Disabling lifecycle scripts breaks popular packages, so the better move is to require sandboxed installs (Docker, ephemeral runners, Firejail, Bubblewrap).

    contoh kode commit lockfile yang rentan terhadap bypass pada npm
    A 12-line lockfile diff can hide a transitive rewrite. Treat every change like a code change.

    5. Hash Collisions in Nested Dependency Trees

    Even when injected packages deliver the announced integrity hash, the practical contract is the bytes served by the registry on that day. A nested dependency with a compromised maintainer account can ship identical hashes for different content while the lockfile proves precisely nothing. Cross-package signing (npm provenance, Sigstore, in-toto attestations) is the only durable defense.

    contoh perbandingan integritas hash lockfile sebelum dan sesudah tampering
    An integrity hash only proves the bytes you received, not the bytes the maintainer intended to publish.

    The Lockfile Contract Framework: Freeze, Attest, Replay

    Here is the framework I use when auditing CI for senior engineering teams. It is not a checklist. It is a contract.

    Freeze: Treat the Lockfile as Immutable

    CI must refuse installs that would mutate the lockfile. Tools like oss-review-toolkit and npm's own install-strategy=nested help you detect drift early. Pair this with a package-lock.json hash stored outside the repo as build-time evidence.

    Attest: Require Signed Provenance on Every Dependency

    Lockfile integrity answers “did the bytes match?” Provenance answers “who published them, from what commit, through what pipeline?” Adopt npm provenance, Sigstore, or in-toto for any dependency that gates production. If a package cannot prove itself, it does not enter your build.

    Replay: Diff, Audit, Block

    Every lockfile PR should trigger:

    • Automated npm audit signatures and CVE checks.
    • Maintainer tenure and repo activity review for new packages.
    • Manifest diff highlighting transitive bumps, especially "major" jumps.
    • Sandbox-driven replay of the resolved tree against a fresh npm ci.
    ilustrasi grafik dependency yang ditembus oleh attacker melalui lockfile
    Replay is the cheapest way to prove your build still produces the artifact your team reviewed.

    CI Hardening Checklist for Security Architects

    • Require npm ci with --ignore-scripts in production builds; explicitly allow scripts only in vetted ephemeral runners.
    • Block merges on any unplanned package-lock.json or npm-shrinkwrap.json diff.
    • Pin registry per scope in .npmrc and enforce via egress proxy.
    • Run npm audit signatures on every install; fail builds without provenance.
    • Schedule weekly npm ls --all triage for newly discovered transitive packages.
    • Generate CycloneDX or SPDX SBOMs and compare against the prior release.
    • Force MFA + scoped tokens for every publish-capable account.
    • Mirror your internal registry through a hardened proxy that re-validates integrity on every fetch.

    For a deeper dive into broader dependency review culture, see our earlier playbook on why your lockfile lies when you use plain install in CI and the case for failing fast when plugins release unsigned zips. If you are still relying on visual PR review for dependency updates, also read our guide on typosquatted package names sneaking into CI.

    FAQ

    Is package-lock.json integrity enough to stop supply chain attacks?

    No. Integrity hashes only prove the bytes you received. Attackers who control a registry, a maintainer account, or a lifecycle script can still ship malicious code that passes the integrity check. Pair lockfile integrity with provenance, scoped registries, and sandboxed installs.

    Why does npm ci matter for security?

    npm ci refuses to mutate the lockfile and installs the exact tree your team reviewed. npm install can silently re-resolve, update, or rewrite entries, which is the entire point of an integrity bypass. Senior teams default to npm ci on every CI job and gate npm install behind dependency-update PRs.

    Should I disable lifecycle scripts globally?

    Use --ignore-scripts on CI by default, then enable scripts in a sandboxed runner only for the few packages that genuinely need them. This breaks native build packages, so build a small allowlist and keep your supply chain surface tight.

    Make the Lockfile Loud, Not Polite

    Integrity bypass techniques succeed because most teams let the lockfile stay polite: present, occasionally updated, never challenged. The senior engineering move is to make it loud. Lock it, sign it, replay it, and reject drift the moment it shows up.

    If you want more advanced supply chain playbooks, drop into our Google newsletter below. We ship one field-tested CI hardening breakdown every Friday, straight from real incident reviews.

    You pinned every dependency. Your CI builds clean. Your SBOM looks perfect. Then a reverse shell lands in production, and no one touched the manifest. How? The attacker did not need to change your source code. They only needed your package-lock.json integrity to be a polite suggestion instead of a contract.

    Most teams treat package-lock.json as a reproducibility convenience for fast installs. In reality, it is the only wall standing between your build and a malicious transitive update. Once that wall cracks, attackers can swap, shim, or quietly rewrite payload code while every green check still smiles back at you.

    Key Takeaways:
    Lockfile integrity is your first defensive line against supply chain compromise, but only when CI treats it as an immutable contract. Default npm install behavior, registry overrides, lifecycle scripts, and shrinkwrap tricks all give attackers quiet ways to bypass pinning. Treat the lockfile like production code: lock it, hash it, review every diff, and fail builds fast when it changes for the wrong reasons.

    Why “We Use a Lockfile” Is Not a Security Claim

    A lockfile records a resolution graph that your team reviewed at one point in time. Each entry contains a version, a resolved URL, and an integrity hash. Trusting it means trusting three things simultaneously: the registry response, the client that wrote the file, and the CI pipeline that consumes it.

    Attackers do not bother attacking the lockfile format itself. They go after the seams:

    • Registry confusion: pulling a different artifact from a mirrored or scoped registry while keeping the same version + integrity key on paper.
    • Lifecycle script hijack: replaying preinstall, postinstall, or install hooks that mutate the dependency tree before integrity is checked.
    • Resolution drift: letting npm install silently re-resolve semver ranges when the lockfile drifts out of sync with package.json.
    • Local cache poisoning: priming an attacker-controlled tarball into the global cache so the resolved “same” integrity actually pulls new bytes.
    diagram alur serangan package-lock.json integrity bypass pada pipeline CI
    Integrity bypass rarely breaks the lockfile format. It bends the trust assumptions around it.

    Five Real-World Bypass Techniques Senior Engineers Keep Missing

    These are not theoretical. Each one shows up in post-mortems from teams running serious CI at scale.

    1. npm install Where npm ci Should Run

    Every senior engineer has typed this. The problem? npm install mutates the lockfile if it disagrees with package.json, and it does not always fail loudly. An attacker who can nudge a dependency's published semver range still walks in through a routine install step.

    # Safer baseline for CI
    npm ci --ignore-scripts
    # Disallow lockfile mutation post-install
    git diff --exit-code package-lock.json

    2. Re-Resolution via Private Registries Misconfiguration

    package-lock.json integrity hashes are scoped-by-registry, but only when the URL stays identical. Flip a package to a scoped mirror with a different host, and npm will happily compute a new integrity key against the new URL. Same package name, same version, different bytes.

    Mitigation: pin registry per scope in .npmrc, deny unknown registries at egress, and artifact-sign resolutions with tools like npm audit signatures and Sigstore.

    3. Tampering via npm-shrinkwrap.json Override

    When npm-shrinkwrap.json lives alongside package-lock.json, npm silently prefers the shrinkwrap. An attacker with write access to a feature branch can land a shrinkwrap-only change that overrides the reviewed lockfile. The PR diff looks tiny. The resolved graph is not.

    4. Lifecycle Script Execution Before Integrity Check

    Most installers run preinstall scripts before they validate a resolved tarball against its announced integrity hash. A malicious dependency can race the install, drop a backdoor into node_modules, or rewrite build outputs cached for CI. Disabling lifecycle scripts breaks popular packages, so the better move is to require sandboxed installs (Docker, ephemeral runners, Firejail, Bubblewrap).

    contoh kode commit lockfile yang rentan terhadap bypass pada npm
    A 12-line lockfile diff can hide a transitive rewrite. Treat every change like a code change.

    5. Hash Collisions in Nested Dependency Trees

    Even when injected packages deliver the announced integrity hash, the practical contract is the bytes served by the registry on that day. A nested dependency with a compromised maintainer account can ship identical hashes for different content while the lockfile proves precisely nothing. Cross-package signing (npm provenance, Sigstore, in-toto attestations) is the only durable defense.

    contoh perbandingan integritas hash lockfile sebelum dan sesudah tampering
    An integrity hash only proves the bytes you received, not the bytes the maintainer intended to publish.

    The Lockfile Contract Framework: Freeze, Attest, Replay

    Here is the framework I use when auditing CI for senior engineering teams. It is not a checklist. It is a contract.

    Freeze: Treat the Lockfile as Immutable

    CI must refuse installs that would mutate the lockfile. Tools like oss-review-toolkit and npm's own install-strategy=nested help you detect drift early. Pair this with a package-lock.json hash stored outside the repo as build-time evidence.

    Attest: Require Signed Provenance on Every Dependency

    Lockfile integrity answers “did the bytes match?” Provenance answers “who published them, from what commit, through what pipeline?” Adopt npm provenance, Sigstore, or in-toto for any dependency that gates production. If a package cannot prove itself, it does not enter your build.

    Replay: Diff, Audit, Block

    Every lockfile PR should trigger:

    • Automated npm audit signatures and CVE checks.
    • Maintainer tenure and repo activity review for new packages.
    • Manifest diff highlighting transitive bumps, especially "major" jumps.
    • Sandbox-driven replay of the resolved tree against a fresh npm ci.
    ilustrasi grafik dependency yang ditembus oleh attacker melalui lockfile
    Replay is the cheapest way to prove your build still produces the artifact your team reviewed.

    CI Hardening Checklist for Security Architects

    • Require npm ci with --ignore-scripts in production builds; explicitly allow scripts only in vetted ephemeral runners.
    • Block merges on any unplanned package-lock.json or npm-shrinkwrap.json diff.
    • Pin registry per scope in .npmrc and enforce via egress proxy.
    • Run npm audit signatures on every install; fail builds without provenance.
    • Schedule weekly npm ls --all triage for newly discovered transitive packages.
    • Generate CycloneDX or SPDX SBOMs and compare against the prior release.
    • Force MFA + scoped tokens for every publish-capable account.
    • Mirror your internal registry through a hardened proxy that re-validates integrity on every fetch.

    For a deeper dive into broader dependency review culture, see our earlier playbook on why your lockfile lies when you use plain install in CI and the case for failing fast when plugins release unsigned zips. If you are still relying on visual PR review for dependency updates, also read our guide on typosquatted package names sneaking into CI.

    FAQ

    Is package-lock.json integrity enough to stop supply chain attacks?

    No. Integrity hashes only prove the bytes you received. Attackers who control a registry, a maintainer account, or a lifecycle script can still ship malicious code that passes the integrity check. Pair lockfile integrity with provenance, scoped registries, and sandboxed installs.

    Why does npm ci matter for security?

    npm ci refuses to mutate the lockfile and installs the exact tree your team reviewed. npm install can silently re-resolve, update, or rewrite entries, which is the entire point of an integrity bypass. Senior teams default to npm ci on every CI job and gate npm install behind dependency-update PRs.

    Should I disable lifecycle scripts globally?

    Use --ignore-scripts on CI by default, then enable scripts in a sandboxed runner only for the few packages that genuinely need them. This breaks native build packages, so build a small allowlist and keep your supply chain surface tight.

    Make the Lockfile Loud, Not Polite

    Integrity bypass techniques succeed because most teams let the lockfile stay polite: present, occasionally updated, never challenged. The senior engineering move is to make it loud. Lock it, sign it, replay it, and reject drift the moment it shows up.

    If you want more advanced supply chain playbooks, drop into our Google newsletter below. We ship one field-tested CI hardening breakdown every Friday, straight from real incident reviews.

    About the Author

    Dzul Qurnain

    Suka nonton Anime, ngoding dan bagi-bagi tips kalau tahu.. Oh iya, suka baca ( tapi yang menarik menurutku aja)... Praktisi WordPress, web development, SEO, dan server administration yang membagikan tutorial teknis dan catatan implementasi nyata.

    View All Articles