Skip to main content
bagel
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. bagel
  2. /
  3. Probes
  4. /
  5. NPM Probe

NPM Probe

The npm probe examines your NPM and Yarn configuration files for insecure settings.

What It Checks

CheckFinding IDSeverityDescription
SSL Verificationnpm-ssl-verify-disabledHighstrict-ssl=false
Insecure Registrynpm-insecure-registryHighHTTP registry configured
Always Authnpm-always-auth-enabledLowalways-auth=true (informational)

Files Scanned

  • ~/.npmrc
  • ~/.yarnrc
  • Project-level .npmrc and .yarnrc files

Findings

npm-ssl-verify-disabled

Severity: High

NPM is configured to skip SSL certificate verification (strict-ssl=false). This makes you vulnerable to man-in-the-middle attacks when installing packages.

Why This Is Dangerous:

Best practice especially inside corporate networks with custom registries

Remediation:

Remove the setting from your .npmrc:

# Remove the line "strict-ssl=false" from ~/.npmrc
# Or run:
npm config delete strict-ssl

If you need to use a corporate registry with a self-signed certificate, configure the CA certificate instead:

npm config set cafile /path/to/corporate-ca.crt

npm-insecure-registry

Severity: High

NPM is configured to use an HTTP (non-HTTPS) registry. Package downloads are not encrypted and could be intercepted or modified.

Why This Is Dangerous:

Without TLS encryption:

  • Credentials may be transmitted in plain text
  • Package contents can be modified in transit
  • You have no verification that packages came from the registry

Remediation:

Update your registry configuration to use HTTPS:

# Check current registry
npm config get registry

# Set to HTTPS
npm config set registry https://registry.npmjs.org/

# For scoped packages
npm config set @mycompany:registry https://npm.mycompany.com/

If your internal registry doesn’t support HTTPS, work with your infrastructure team to enable TLS.

npm-always-auth-enabled

Severity: Low

NPM is configured with always-auth=true, which sends authentication credentials with every request, even to public registries.

Why This Is Noted:

While always-auth can be legitimate for private registries, it:

  • May leak tokens to registries that don’t need them
  • Increases the risk if .npmrc is accidentally committed

Remediation:

If you don’t need always-auth:

npm config delete always-auth

For private registries, configure auth per-registry instead:

# ~/.npmrc
@mycompany:registry=https://npm.mycompany.com/
//npm.mycompany.com/:_authToken=${NPM_TOKEN}

Secret Detection

The NPM probe also scans .npmrc and .yarnrc files for embedded secrets using all registered detectors. This can catch:

  • NPM authentication tokens (npm_*)
  • Registry passwords in URLs
  • Bearer tokens in auth configurations

Best Practices

  1. Never commit .npmrc with tokens - Use environment variables:

    //registry.npmjs.org/:_authToken=${NPM_TOKEN}

  2. Use HTTPS registries only - Never use HTTP for package registries

  3. Scope private registry auth - Don’t send auth to public registries:

    @mycompany:registry=https://npm.mycompany.com/
//npm.mycompany.com/:_authToken=${NPM_TOKEN}

  4. Review package-lock.json - Ensure resolved URLs use HTTPS

  5. Use npm audit - Regularly check for vulnerable dependencies:

    npm audit
npm audit fix
gdoc_arrow_left_alt JetBrains Probe Shell History Probe gdoc_arrow_right_alt