Security
Supply Chain Security
Your application is mostly other people's code: hundreds of transitive packages, any of which can be compromised — typosquats, hijacked maintainers, malicious install scripts. The defences are boring and effective: committed lockfiles, audits, minimal dependencies, pinned CI actions. Most famous npm incidents were preventable at the install step.
Purpose
Modern builds trust strangers by default: npm install executes code from hundreds of transitive packages, written by people you have never met, any of whom can publish a new version tonight. Supply chain security is managing that inherited risk — because attackers noticed that compromising one popular package (or one maintainer's laptop) is cheaper than attacking a thousand applications one by one. event-stream, ua-parser-js and the xz backdoor were all this pattern.
When to Use It
Vetting new dependencies before adoption (maintenance, downloads, install scripts, typo-distance from popular names); keeping CI honest, since it holds the deploy keys and runs third-party actions; meeting the SBOM requirements now common in procurement; and being able to answer, on the day a popular package is compromised, the question "are we running it?" in minutes rather than days.
Trade-offs
Audit tooling cries wolf — most vulnerability alerts are in dev-time paths attackers cannot reach, and alert fatigue is how the real one slips past. Version pinning trades exposure to new malware for exposure to old bugs; there is no setting that avoids both. And the strongest controls (reviewing dependency diffs, vendoring) cost engineering time that small teams must ration — which is why the cheapest control is having fewer dependencies.
Implementation
Commit the lockfile and install with npm ci so builds are reproducible. Enable Dependabot/Renovate plus npm audit triage. Disable install scripts where possible (--ignore-scripts), pin GitHub Actions to commit SHAs, scope registry tokens tightly, and generate an SBOM in CI. Before adding a package, weigh writing the fifty lines yourself — the dependency you do not add is the one that cannot betray you.