MediumFrontend Security📖 Theory Question

How do you protect a frontend app against dependency supply chain attacks?

💡

Hint

Lock file, Subresource Integrity, audit CI, minimal dependencies, private registry proxying

Full Answer

Supply chain attacks target the npm packages your app depends on (e.g., the event-stream malware, left-pad removal, typosquatting).

Defenses:

1. Lock files — commit package-lock.json or pnpm-lock.yaml. CI runs npm ci (not npm install) to install exact locked versions.

2. Automated auditing — run npm audit or pnpm audit in CI; fail the build on high-severity CVEs. Dependabot or Renovate auto-opens PRs for patches.

3. Subresource Integrity (SRI) — for third-party CDN scripts, add a integrity hash. Browser refuses to execute the script if the hash doesn't match.

<script
  src="https://cdn.example.com/lib.js"
  integrity="sha384-abc123..."
  crossorigin="anonymous"></script>

4. Minimal dependency footprint — every added package is an attack surface. Prefer native browser APIs; audit new deps on Bundlephobia and Snyk before adding them.

5. Private registry proxy — proxy npm through Artifactory or Verdaccio; allows allow-listing, caching, and scanning before packages reach developers.

More Frontend Security Questions

EasyWhat is XSS (Cross-Site Scripting) and how do you prevent it?EasyWhat is CSRF and how do SameSite cookies and CSRF tokens prevent it?EasyWhat is a Content Security Policy (CSP) and how does it work?EasyWhat is clickjacking and how do you prevent it?

Practice this in a timed sprint →

5 free questions, no signup required

⚡ Start Sprint