A Secure Way to Run npm ci

A Secure Way to Run npm ci

No matter how much you trust in the npmjs package registry in general and in packages you are using in particular, Bad Thingsā„¢ always happen. They happen to the best of us. Even a small Node.js project may have thousands of dependencies, which makes it virtually impossible for a developer to monitor and audit them all.

An NPM package has two main ways to harm you: the first one is when you install it, and the second one is when you actually use it. The first way is possible because of the so-called “lifecycle scripts” run by npm. And even though one of the earliest attacks exploiting lifecycle scripts dates back to 2017, developers still do not take measures to protect their data.

This post explains how to protect sensitive information (such as authentication tokens) when running CI builds.

MariaDB Driver for Knex

MariaDB Driver for Knex

I once had to work with a project which used MariaDB connector for Node.js, and for some reasons it was necessary to add Knex query builder to it. The main issue was that Knex supports only a few drivers, and MariaDB is unfortunately not one of them. I had to write a MariaDB client for Knex myself, and that was surprisingly easy.