Package typosquat defense
Prevent dependency confusion and typosquatting attacks by locking package registries, verifying integrity, and auditing third-party sources before install.
1. Scope your registries
Configure your package manager to pull only from trusted registries. For npm, set registry=https://registry.npmjs.org/ in .npmrc and disable fallback. Use scoped registries for internal packages to prevent name confusion with public packages.
2. Enforce integrity hashes
Lock files must include integrity hashes. In npm, use npm ci instead of npm install in CI to respect the lock file exactly. Enable enforce-lockfile in Yarn or pnpm to reject installs that would mutate the lock file.
3. Audit before install
Run npm audit or equivalent on every pull request. Block merges when critical vulnerabilities surface. Use tools like Socket or Snyk to detect typosquatting indicators: recently published packages, names within Levenshtein distance of popular packages, or maintainers with no history.
4. Pin and proxy
Mirror dependencies through an internal proxy such as Verdaccio or Artifactory. Pin exact versions — never use ranges like ^1.2.3 in production manifests. The proxy acts as a choke point: if a malicious package is published upstream, your builds are insulated until the proxy cache is explicitly updated.
Quick checklist
- Single trusted registry per manifest
- Lock file committed and enforced in CI
- Integrity hashes present for every dependency
- Pre-install audit gate with automated blocking
- Internal proxy mirror with exact version pinning