Hi! I'm

Federico Calò

Software Developer | Technical Writer

I create modern web applications and custom digital tools to help businesses grow through technological innovation. My passion is combining computer science and economics to generate real value.

Contact Me

About Me

My passion for computer science was born at the Technical Commercial Institute of Maglie, where I discovered the power of programming and the fascination of creating digital solutions. From the start, I understood that computer science was not just code, but an extraordinary tool for turning ideas into reality.

During my studies in Business Information Systems, I began to interweave computer science and economics, understanding how technology can be the engine of growth for any business. This vision accompanied me to the University of Bari, where I obtained my degree in Computer Science, deepening my technical skills and passion for software development.

Today I put this experience at the service of businesses, professionals and startups, creating tailor-made digital solutions that automate processes, optimize resources and open new business opportunities. Because true innovation begins when technology meets the real needs of people.

My Skills

Data Analysis & Predictive Models

I transform data into strategic insights with in-depth analysis and predictive models for informed decisions

Process Automation

I create custom tools that automate repetitive operations and free up time for value-added activities

Custom Systems

I develop tailor-made software systems, from platform integrations to customized dashboards

const federico = {
  nome: "Federico Calò",
  ruolo: "Sviluppatore Software",
  città: "Bari, Italia",
  missione: "Aiutare attraverso l'informatica",
  passioni: [
    "Codice Pulito",
    "Innovazione",
    "Crescita Continua"
  ]
};

La Mia Missione

Credo fermamente che l'informatica sia lo strumento più potente per trasformare le idee in realtà e migliorare la vita delle persone.

Democratizzare la Tecnologia

La mia missione è rendere l'informatica accessibile a tutti: dalle piccole imprese locali alle startup innovative, fino ai professionisti che vogliono digitalizzare la propria attività. Ogni realtà merita di sfruttare le potenzialità del digitale.

Unire Informatica ed Economia

Non è solo questione di scrivere codice: è capire come la tecnologia possa generare valore reale. Intrecciando competenze informatiche e visione economica, aiuto le attività a crescere, ottimizzare processi e raggiungere nuovi traguardi di efficienza e redditività.

Creare Soluzioni su Misura

Ogni attività è unica, e così devono esserlo le soluzioni. Sviluppo strumenti personalizzati che rispondono alle esigenze specifiche di ciascun cliente, automatizzando processi ripetitivi e liberando tempo per ciò che conta davvero: far crescere il business.

Trasforma la Tua Attività con la Tecnologia

Che tu gestisca un negozio, uno studio professionale o un'azienda, posso aiutarti a sfruttare le potenzialità dell'informatica per lavorare meglio, più velocemente e in modo più intelligente.

Parliamone Insieme →

Join the Community

Join the developer community where we discuss software, AI, architecture and DevOps. Share ideas, ask questions and grow with us.

Channel

FC Dev Blog

Get notifications on new articles, complete series, weekly tips and featured tools. Bilingual IT/EN content directly in your Telegram.

New articles as they are published
Weekly tips and code snippets
Polls on future topics

Subscribe to Channel

Group

FC Dev Community

A bilingual IT/EN community for developers. Discussions, Q&A, mutual help and networking with other professionals.

Discussions on articles and technologies
Coding help and code review
Job opportunities and collaboration

Join the Group

Discussion Topics

View

Master SQL

RoadMap.sh

November 2024

View

Oracle Certified Foundations Associate

Oracle

October 2024

View

People Leadership Credential

Connect

September 2024

💻 Languages & Technologies

Java

Python

JavaScript

Angular

React

TypeScript

SQL

PHP

CSS/SCSS

Node.js

Docker

Git

💼

12/2024 - Present

Custom Software Engineering Analyst

Accenture

Bari, Puglia, Italy · Hybrid Analysis and development of computer systems through the use of Java and Quarkus in Health and Public Sector. Continuous training on modern technologies for creating customized and efficient software solutions and on agents.

💼

06/2022 - 12/2024

Software analyst and Back End Developer Associate Consultant

Links Management and Technology SpA

Experience analyzing as-is software systems and ETL flows using PowerCenter. Completed Spring Boot training for developing modern and scalable backend applications. Backend developer specialized in Spring Boot, with experience in database design, analysis, development and testing of assigned tasks.

💼

02/2021 - 10/2021

Software programmer

Adesso.it (prima era WebScience srl)

Experience in AS-IS and TO-BE analysis, SEO evolutions and website evolutions to improve user performance and engagement.

🎓

2018 - 2025

Degree in Computer Science

University of Bari Aldo Moro

Bachelor's degree in Computer Science, focusing on software engineering, algorithms, and modern development practices.

📚

2013 - 2018

Diploma - Corporate Information Systems

Technical Commercial Institute of Maglie

Technical diploma specializing in Business Information Systems, combining IT knowledge with business management.

Contattami

Hai un progetto in mente? Parliamone! Compila il form qui sotto e ti risponderò al più presto.

* Campi obbligatori. I tuoi dati saranno utilizzati solo per rispondere alla tua richiesta.

06 - Supply Chain Security: npm audit, SBOM and Dependency Management

September 2025 marked a turning point in software security history: eighteen of the most downloaded npm packages in the world, including chalk, debug, and ansi-styles, were compromised through a targeted phishing campaign against their maintainers. Within hours, over 2.6 billion weekly downloads were exposed to obfuscated JavaScript designed to intercept cryptocurrency transactions. This was not an attack on your application, but on the ecosystem that supports it.

This scenario illustrates the fundamental nature of supply chain attacks: they target not the code you write, but the code you trust. Every dependency you install with npm install represents code written by others, maintained by others, and potentially compromised by others. In a typical Node.js project, direct dependencies are usually 20-50 packages, but the full transitive dependency graph can easily reach 500-1000 libraries. Are you really auditing all of that code?

According to OWASP Top 10:2025, the A03: Software and Data Integrity Failures category explicitly includes supply chain failures as a critical attack vector. This is one of the two new categories introduced in the 2025 edition, an explicit recognition that code security can no longer be separated from dependency security. This article gives you the concrete tools to protect yourself.

What You Will Learn

Anatomy of a supply chain attack: typosquatting, dependency confusion, lockfile poisoning
npm audit, yarn audit, pnpm audit: advanced usage and automation
Lockfile integrity and hash verification with npm ci
SBOM: generation with CycloneDX and SPDX, NTIA standards
Snyk and Dependabot: continuous vulnerability monitoring
GitHub Actions hardening: SHA-pinning and minimal permissions
Container image security: Trivy, Syft and signing with Cosign/Sigstore
Dependency confusion and how to defend with private npm scopes

Anatomy of a Supply Chain Attack

Understanding how supply chain attacks work is the first step to defending against them. There are several main categories, each with distinct characteristics and attack vectors.

Typosquatting: the danger of a typo

Typosquatting exploits common typing mistakes. An attacker publishes lodahs (instead of lodash), requst (instead of request), or colerrs (instead of colors). In 2025, security researchers identified a set of typosquatted packages designed to mimic popular libraries that launched hidden terminals through postinstall scripts to silently exfiltrate credentials.

The primary defense is careful name verification before installing any package. Tools like Snyk and Socket.dev automatically analyze name similarity with existing packages and flag potential typosquatting before installation.

Dependency Confusion: public vs private scopes

Dependency confusion (or namespace confusion) is a more sophisticated attack first documented by Alex Birsan in 2021. The attacker publishes on public npm a package with the same name as an internal private package of the target company, but with a higher version number. npm, by default, resolves the highest version from the public registry, causing the malicious package to replace the legitimate one.

Real Case: Large-Scale Dependency Confusion

In 2021, Alex Birsan compromised over 35 large companies including Microsoft, Apple, PayPal, and Shopify using this technique, earning more than $130,000 in bug bounties. The mechanism was simple: find internal package names in public configuration files (package.json, pyproject.toml) and publish them with version 9.9.9 on public registries.

Maintainer Account Takeover

The most insidious attack of 2025 demonstrated how targeted phishing against maintainers has become the preferred vector. Once a legitimate maintainer's account is compromised, the attacker publishes malicious versions of already-trusted packages. The community trusts the package, security tests pass, and the malicious code enters production.

Lockfile Poisoning

In a lockfile poisoning attack, a malicious contributor directly modifies the package-lock.json or yarn.lock in a pull request to point to compromised versions or different hashes than expected. If the review process does not include lockfile verification, the malicious code passes unnoticed.

npm audit: Advanced Usage

npm audit is the starting point, but using it correctly requires more than a simple run. Let's see how to integrate it effectively into the development workflow.

# Basic audit with JSON output for automated processing
npm audit --json

# Audit only production dependencies (excludes devDependencies)
npm audit --omit=dev

# Automatically fix patchable vulnerabilities
npm audit fix

# Fix including breaking changes (use with caution)
npm audit fix --force

# Audit with severity threshold: exit code 1 if critical found
npm audit --audit-level=critical

# Audit with moderate threshold
npm audit --audit-level=moderate

# Output format for CI/CD pipeline
npm audit --json | jq '.metadata.vulnerabilities'

For a project with many dependencies, the number of vulnerabilities can be high and difficult to manage. An effective strategy is to configure a .npmrc file with project audit policies, or use npm audit with an exceptions configuration file.

# Install npm-audit-resolver to manage exceptions
npm install -g npm-audit-resolver

# Interactive process to handle each vulnerability
audit-resolve

# Subsequent verification (uses saved exceptions)
audit-resolve --ci

# package.json scripts for safe CI
# package.json
{
  "scripts": {
    "audit:ci": "npm audit --audit-level=high --omit=dev",
    "audit:full": "npm audit --json > audit-report.json",
    "audit:check": "npm audit --audit-level=critical"
  }
}

pnpm audit and yarn audit

If you use pnpm or yarn, the audit commands are similar but with some important differences. pnpm offers more granular control over dependencies, while yarn v2/v3 (Berry) has significantly improved hash management.

# pnpm audit
pnpm audit
pnpm audit --audit-level high
pnpm audit --prod  # production only

# yarn audit (classic v1)
yarn audit
yarn audit --level high

# yarn audit (Berry v2/v3)
yarn npm audit
yarn npm audit --severity high

# JSON output for processing
pnpm audit --json | jq '.advisories | length'

Lockfile Integrity: The First Line of Defense

The lockfile (package-lock.json, yarn.lock, pnpm-lock.yaml) is fundamental for build reproducibility and security. Each entry in the lockfile includes not only the exact version, but also the content hash of the package.

npm ci vs npm install: A Critical Distinction

In production and CI/CD, always use npm ci instead of npm install. npm ci installs exactly the versions specified in the lockfile, verifies the cryptographic hashes of each package, and fails if the lockfile is out-of-sync with package.json. npm install can silently update the lockfile.

# CORRECT for CI/CD: verify lockfile integrity
npm ci

# Manual hash verification in the lockfile
# package-lock.json contains entries like:
# "node_modules/lodash": {
#   "version": "4.17.21",
#   "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
#   "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZboqV76wE2wDvQ6",
# }

# Verify the lockfile hasn't been modified
git diff package-lock.json | head -50

# Pre-commit hook to prevent unauthorized lockfile changes
# .husky/pre-commit
#!/bin/sh
if git diff --cached --name-only | grep -q "package-lock.json"; then
  echo "WARNING: package-lock.json modified. Verifying dependencies."
  npm audit --audit-level=high
fi

.npmrc Configuration for Security

The .npmrc file allows you to configure npm with security policies that apply to the entire project or the current user.

# .npmrc - project security configuration

# Always require HTTPS for the registry
registry=https://registry.npmjs.org/

# Enable strict-ssl (default: true, never disable!)
strict-ssl=true

# Automatic audit after every install
audit=true

# Fund messages: disable for CI
fund=false

# Use lockfile (default: true)
package-lock=true

# For workspaces with private packages on Artifactory/Nexus registry
# @mycompany:registry=https://npm.mycompany.internal/
# //npm.mycompany.internal/:_authToken={NPM_TOKEN}

# Dependency confusion prevention: scoped packages always on private registry
# @internal:registry=https://npm.internal.company.com/

Dependency Confusion: Defending with Private Scopes

The most effective defense against dependency confusion is ensuring that private packages always use a dedicated scope and that npm is configured to resolve that scope exclusively from the internal registry.

# package.json with correct private scope
{
  "dependencies": {
    "@mycompany/auth-utils": "^2.1.0",
    "@mycompany/api-client": "^1.5.0"
  }
}

# .npmrc - private scopes always on internal registry
@mycompany:registry=https://npm.mycompany.internal/
//npm.mycompany.internal/:_authToken=#123;INTERNAL_NPM_TOKEN}

# Verify that a @mycompany package does NOT exist on public npm
npm view @mycompany/auth-utils --registry https://registry.npmjs.org/
# Should return 404 - if it returns a package, someone did typosquatting!

# GitHub Actions: automated check for private packages absent from public npm
# - name: Check private packages not on public npm
#   run: |
#     for pkg in $(cat package.json | jq -r '.dependencies | keys[]' | grep "^@mycompany"); do
#       if npm view $pkg --registry https://registry.npmjs.org/ 2>/dev/null; then
#         echo "ALERT: $pkg found on public npm!" && exit 1
#       fi
#     done

SBOM: Software Bill of Materials

A Software Bill of Materials (SBOM) is a complete and formal inventory of all software components in an application: third-party libraries, transitive dependencies, versions, licenses, and known vulnerabilities. It has become a de facto requirement for enterprise security and, in some sectors (US government, critical infrastructure), is mandated by law.

The two main standards are SPDX (Software Package Data Exchange, Linux Foundation) and CycloneDX (OWASP). SPDX is license compliance-oriented, CycloneDX is optimized for security and vulnerability management. For web applications, CycloneDX is generally the better choice.

Why SBOM Matters

Projects using SBOMs to manage dependencies achieve a 264-day reduction in Mean Time to Remediate (MTTR) for critical vulnerabilities compared to those without SBOMs. In the event of a new CVE (like Log4Shell), an SBOM allows identifying all affected projects in minutes rather than weeks of manual analysis.

SBOM Generation with CycloneDX

# Install CycloneDX CLI for Node.js
npm install -g @cyclonedx/cyclonedx-npm

# Generate SBOM in JSON format (CycloneDX v1.6)
cyclonedx-npm --output-format json --output-file sbom.json

# Generate SBOM in XML format
cyclonedx-npm --output-format xml --output-file sbom.xml

# With dev dependencies excluded
cyclonedx-npm --omit dev --output-format json --output-file sbom-prod.json

# Verify the generated SBOM
cat sbom.json | jq '.metadata.component.name'
cat sbom.json | jq '.components | length'
cat sbom.json | jq '.vulnerabilities | length'

# Example SBOM JSON output (CycloneDX v1.6 structure)
# {
#   "bomFormat": "CycloneDX",
#   "specVersion": "1.6",
#   "serialNumber": "urn:uuid:1a2b3c4d-...",
#   "version": 1,
#   "metadata": {
#     "timestamp": "2026-02-25T10:30:00Z",
#     "tools": [...],
#     "component": {
#       "type": "application",
#       "name": "my-app",
#       "version": "1.0.0"
#     }
#   },
#   "components": [
#     {
#       "type": "library",
#       "name": "express",
#       "version": "4.18.2",
#       "purl": "pkg:npm/express@4.18.2",
#       "hashes": [
#         { "alg": "SHA-256", "content": "abc123..." }
#       ],
#       "licenses": [{ "license": { "id": "MIT" } }]
#     }
#   ]
# }

SBOM Generation with Syft

Syft by Anchore is one of the most comprehensive tools for SBOM generation, with support for container images, filesystems, and npm/pip/go/java artifacts.

# Install Syft
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin

# SBOM from project directory (CycloneDX JSON format)
syft dir:. -o cyclonedx-json=sbom.json

# SBOM from container image
syft nginx:latest -o spdx-json=sbom-nginx.json

# SBOM from local Docker image
syft docker:my-app:latest -o cyclonedx-json=sbom.json

# Output in multiple formats simultaneously
syft dir:. \
  -o cyclonedx-json=sbom-cdx.json \
  -o spdx-json=sbom-spdx.json \
  -o table

# Filter only npm components
syft dir:. -o cyclonedx-json | jq '.components[] | select(.purl | startswith("pkg:npm"))'

Snyk and Dependabot: Continuous Monitoring

One-time monitoring is not enough: new vulnerabilities are discovered every day. Snyk and GitHub Dependabot offer continuous monitoring with automatic alerts and update pull requests.

Snyk CLI and Integration

# Install Snyk CLI
npm install -g snyk

# Authentication
snyk auth

# Test project vulnerabilities
snyk test

# Test with threshold: exit 1 if high/critical vulnerabilities found
snyk test --severity-threshold=high

# Continuous monitoring (sends snapshot to Snyk dashboard)
snyk monitor

# Automatic fix with patches
snyk fix

# Generate HTML report
snyk test --json | snyk-to-html -o report.html

# Test container image
snyk container test nginx:latest --severity-threshold=high

# Generate SBOM via Snyk
snyk sbom --format cyclonedx1.6+json

# package.json integration
# {
#   "scripts": {
#     "security:test": "snyk test --severity-threshold=high",
#     "security:monitor": "snyk monitor",
#     "security:container": "snyk container test $IMAGE_NAME"
#   }
# }

GitHub Dependabot: Optimal Configuration

# .github/dependabot.yml
version: 2
updates:
  # npm/Node.js dependencies
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "monday"
      time: "09:00"
      timezone: "Europe/Rome"
    open-pull-requests-limit: 10
    # Group patch and minor updates together
    groups:
      production-dependencies:
        dependency-type: "production"
        update-types:
          - "minor"
          - "patch"
      dev-dependencies:
        dependency-type: "development"
        update-types:
          - "minor"
          - "patch"
    # Automatic labels for PRs
    labels:
      - "dependencies"
      - "security"
    # Automatic reviewers
    reviewers:
      - "security-team"
    # Ignore major updates for critical libraries
    ignore:
      - dependency-name: "webpack"
        update-types: ["version-update:semver-major"]

  # GitHub Actions
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"

GitHub Actions Security: SHA-Pinning and Hardening

GitHub Actions represent a critical supply chain attack vector. In 2024, the compromise of tj-actions/changed-files demonstrated how a widely-used action can be compromised and used to exfiltrate secrets from thousands of repositories. The primary defense is SHA-pinning: instead of referencing an action by tag (@v4), use the immutable commit hash.

# .github/workflows/security-ci.yml
name: Security CI Pipeline

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]

# Minimal permissions (principle of least privilege)
permissions:
  contents: read
  security-events: write  # For uploading SARIF to GitHub Security tab

jobs:
  dependency-audit:
    name: Dependency Security Audit
    runs-on: ubuntu-latest
    permissions:
      contents: read

    steps:
      # SHA-pinned: use commit hash, not tag!
      # actions/checkout@v4 -> exact commit SHA
      - name: Checkout code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2

      - name: Setup Node.js
        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af  # v4.1.0
        with:
          node-version: '22'
          cache: 'npm'

      # Use npm ci (not npm install) for lockfile verification
      - name: Install dependencies (strict lockfile)
        run: npm ci --ignore-scripts

      # Audit with exit code to block the build
      - name: npm audit
        run: npm audit --audit-level=high --omit=dev

      # Snyk test (requires SNYK_TOKEN secret)
      - name: Snyk Security Test
        uses: snyk/actions/node@b98d498629f1c5e3943f89a5c62b5e5d4e2f86c0  # SHA pinned
        env:
          SNYK_TOKEN: #123;{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high --fail-on=upgradable

  sbom-generation:
    name: Generate SBOM
    runs-on: ubuntu-latest
    needs: dependency-audit
    permissions:
      contents: write
      id-token: write  # For OIDC (Sigstore)
      attestations: write

    steps:
      - name: Checkout code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2

      - name: Setup Node.js
        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af  # v4.1.0
        with:
          node-version: '22'

      - name: Install dependencies
        run: npm ci --ignore-scripts

      - name: Generate SBOM (CycloneDX)
        run: |
          npm install -g @cyclonedx/cyclonedx-npm
          cyclonedx-npm --omit dev --output-format json --output-file sbom.json

      # Attest SBOM with OIDC (GitHub native attestation)
      - name: Attest SBOM
        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c  # v1.4.3
        with:
          subject-path: sbom.json

      - name: Upload SBOM as artifact
        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1  # v4.6.0
        with:
          name: sbom
          path: sbom.json

Anti-Pattern: Never Use Tags for Third-Party Actions

uses: some-org/some-action@v2 is vulnerable: if the maintainer's account is compromised, the tag can be updated to point to malicious code. Always use the format uses: some-org/some-action@SHA_HASH # v2.0.0 and include the tag as a comment for readability. Tools like pinact and action-pins automate this process.

Container Image Security

If your application is deployed in Docker containers, the attack surface also includes the base image and installed OS packages. Trivy and Grype are the main tools for scanning vulnerabilities in container images.

# Install Trivy
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin

# Scan local image
trivy image my-app:latest

# Only CRITICAL and HIGH vulnerabilities
trivy image --severity HIGH,CRITICAL my-app:latest

# Output in SARIF format for GitHub Security tab
trivy image --format sarif --output trivy-results.sarif my-app:latest

# Filesystem scan (without Docker too)
trivy fs --scanners vuln,secret,misconfig .

# Scan with SBOM output
trivy image --format cyclonedx --output sbom.json my-app:latest

# Dockerfile best practices: use distroless images
# FROM node:22-alpine AS builder
# WORKDIR /app
# COPY package*.json ./
# RUN npm ci --omit=dev
# COPY . .
# RUN npm run build

# Use distroless as runtime (minimum attack surface)
# FROM gcr.io/distroless/nodejs22-debian12
# COPY --from=builder /app/dist /app
# EXPOSE 3000
# CMD ["/app/server.js"]

# Sign image with Cosign/Sigstore
cosign sign --yes my-registry/my-app:latest
# Verify signature
cosign verify my-registry/my-app:latest \
  --certificate-identity-regexp=".*" \
  --certificate-oidc-issuer="https://accounts.google.com"

Angular Security Checklist: Supply Chain

For Angular projects, there are specific considerations related to the toolchain (Angular CLI, webpack/esbuild, ng-packagr) and the npm ecosystem.

# Angular Supply Chain Security Checklist

# 1. Verify Angular CLI and dependency versions
ng version
npm audit

# 2. Update Angular to the latest LTS version
ng update @angular/core @angular/cli

# 3. Check peer dependencies
npm ls --depth=0

# 4. Identify deprecated dependencies
npm outdated

# 5. Use npm ci in all Angular CI/CD pipelines
npm ci

# 6. Verify lockfile integrity before each build
git diff package-lock.json

# 7. Configure angular.json for production build with source-map disabled
# angular.json
# "configurations": {
#   "production": {
#     "sourceMap": false,
#     "optimization": true,
#     "buildOptimizer": true
#   }
# }

# 8. Scan Angular-specific dependencies
snyk test --file=package.json

# 9. Generate SBOM for the Angular project
cyclonedx-npm --output-format json --output-file sbom-angular.json

# 10. Add Content-Security-Policy in Angular SSR server
# For Express server in server.ts:
# app.use((req, res, next) => {
#   res.setHeader('Content-Security-Policy',
#     "default-src 'self'; script-src 'self'");
#   next();
# });

Typosquatting: Preventive Detection

Before installing any new package, it is good practice to verify it with dedicated analysis tools. Socket.dev is one of the best tools for analyzing npm package security before installation.

# Socket.dev CLI for preventive analysis
npm install -g @socketsecurity/cli

# Analyze a package before installing it
socket npm info lodash

# Scan the existing project
socket scan create --view

# npm-check for outdated packages and typosquatting
npm install -g npm-check
npm-check

# Manual verification: check who published the package
npm view express maintainers
npm view express time  # publication history

# Red flags to look for:
# - Package published a few days ago with many downloads
# - Maintainer with short history
# - No homepage or repository
# - Suspicious postinstall/preinstall scripts

# Verify scripts in the dependency's package.json
npm view lodash scripts

# Install without running lifecycle scripts (postinstall, preinstall)
npm install --ignore-scripts

# Verify package contents before using it
npm pack lodash --dry-run

Red Flags in npm Packages

postinstall script: runs code at install time
Environment variable access: process.env in a package that shouldn't need it
HTTP requests to unknown domains: no UI package should make network calls at install time
Native dependencies (bindings): compile C/C++ code with system access
Version 0.0.1 with 10M downloads: impossible, signal of statistical manipulation
Name similar to famous packages: always check on npm.im before installing

Complete Workflow: Security Gate in CI/CD

Integrating all these tools into a coherent security gate ensures that no build reaches production without passing supply chain security checks.

# .github/workflows/supply-chain-security.yml
name: Supply Chain Security Gate

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    # Run every day at 6:00 UTC for continuous monitoring
    - cron: '0 6 * * *'

permissions:
  contents: read
  security-events: write

jobs:
  security-gate:
    name: Supply Chain Security Gate
    runs-on: ubuntu-latest
    timeout-minutes: 15

    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2

      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af  # v4.1.0
        with:
          node-version: '22'
          cache: 'npm'

      # Verify lockfile integrity
      - name: Verify lockfile integrity
        run: |
          if [ ! -f "package-lock.json" ]; then
            echo "ERROR: package-lock.json missing!" && exit 1
          fi
          npm ci --ignore-scripts

      # npm audit - block on HIGH/CRITICAL
      - name: npm audit (production)
        run: npm audit --audit-level=high --omit=dev
        continue-on-error: false

      # Snyk test
      - name: Snyk vulnerability scan
        uses: snyk/actions/node@b98d498629f1c5e3943f89a5c62b5e5d4e2f86c0
        env:
          SNYK_TOKEN: #123;{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high --sarif-file-output=snyk.sarif

      # Upload results to GitHub Security tab
      - name: Upload Snyk results to GitHub Security
        uses: github/codeql-action/upload-sarif@dd746615b1a4b1e1c5d3b87432fe040f4c04082  # v3.28.0
        with:
          sarif_file: snyk.sarif

      # Generate SBOM
      - name: Generate SBOM
        run: |
          npm install -g @cyclonedx/cyclonedx-npm
          cyclonedx-npm --omit dev \
            --output-format json \
            --output-file sbom-#123;{ github.sha }}.json

      # Save SBOM as artifact
      - name: Archive SBOM
        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1  # v4.6.0
        with:
          name: sbom-#123;{ github.sha }}
          path: sbom-#123;{ github.sha }}.json
          retention-days: 90

      # License check
      - name: Check licenses
        run: |
          npx license-checker --onlyAllow 'MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC;0BSD' \
            --excludeDevDependencies \
            --json > licenses.json || {
              echo "ALERT: Non-compliant licenses found!"
              cat licenses.json
              exit 1
            }

Conclusions and Next Steps

Supply chain security is not a one-time activity but a continuous process. 2025 demonstrated that even the most trusted packages can be compromised, and that defense must be layered: lockfile verification, automated audits, SBOMs generated at every release, GitHub Actions with SHA-pinning, and continuous monitoring with Snyk or Dependabot.

Start with the simplest steps: add npm audit --audit-level=high to your CI/CD, always use npm ci instead of npm install in pipelines, and enable Dependabot on your repository. These three changes cover the majority of attack vectors with minimal time investment.

The next step is generating SBOMs at every release and implementing a complete security gate like the one shown in this article. With OWASP A03 Supply Chain Failures now officially in the Top 10 2025, this is no longer a nice-to-have: it is a professional responsibility for every developer.

Continue the Series: Web Security for Developers

01 - OWASP Top 10 2025: The Complete Developer Guide
02 - XSS, CSRF and CSP: Essential Frontend Security
03 - SQL Injection and Input Validation: Backend Security Guide
04 - Secure Authentication: Session Management and Cookies
05 - API Security: OAuth 2.1, JWT Best Practices and Rate Limiting
06 - Supply Chain Security: npm audit, SBOM and Dependencies (this article)
07 - Cryptographic Failures: Hashing, Encryption and Tokens
08 - DevSecOps for Developers: SAST, DAST in CI/CD Pipeline

Also explore the DevOps Frontend series (IDs 250-255) to integrate security into your deployment workflow.