Firewall's Policy Compliant Component Selection for npm

IQ Server | Reading time: 4 minutes

Is this article helpful?

Firewall’s Policy Compliant Component Selection for npm

Table of Contents

Prerequisites

This guide assumes you have Nexus Repository Pro & Nexus Firewall configured to quarantine components on an npm proxy repository.

To install Firewall or Nexus Repository Pro check out these guides:

npm Versions and Firewall

In an npm project, developers can require the latest version or specify a version range for a package. If no version is specified, npm will automatically download the most recent version. This keeps a project’s dependencies up to date, but blindly updating can introduce malware and other risks into your application. It also goes against DevOps best practices.

To protect against unknown, suspicious, and malicious components, Nexus Firewall will quarantine new versions of some components until they are deemed safe. New releases that fail your organization’s policy standards are also quarantined. When this happens, Firewall will prevent applications from downloading necessary dependencies when the latest release is in quarantine, even if the previous version of the package is policy compliant. These missing dependencies prevent the application from building.This effect is most noticeable in npm, as it is one of the most active software ecosystems with over 3.5 million new package versions released in 2021. To make managing package versions easier, repositories using Firewall now return the latest package version that complies with your policy standards, unless there is a specified version in the package.json. Any quarantined version will not be available for developers to download from your repository. This saves developers and security teams time managing dependency versions.

Configuration and Usage

When an application requests a package without a specific version, Firewall will audit all versions within range. Every version that violates a policy set to fail at the proxy stage will be marked as quarantined. Nexus Repository Manager Pro will serve the most recent version not in quarantine. Note that while every component audited may appear on your Repository Results, only the policy compliant version will be downloaded and stored in your repository.

Warning: When using this feature Firewall will audit more packages than a normal install. This will cause the dependency install to take longer, especially for projects with large package.json files. The results of the audit are cached for 72 hours.

Enable in Nexus Repository Pro

To enable policy sensitive version selection for npm

  1. Navigate to your instance of Nexus Repository Pro
  2. Select the Server Administration and Settings Cog
  3. Select Repositories
  4. Select your npm Proxy Repository
  5. Check Remove Quarantined Versions
  6. Click save

Repository configuration setting

IQ Audit and Quarantine must be enabled for your proxy repository. Check out the prerequisites section for more information.

Usage

Nexus Firewall’s policy informed component selection will run automatically whenever you run npm install or yarn install.

Viewing Results in the UI

Quarantined components are visible in the IQ Server user interface. To view quarantined components:

  1. Navigate to your instance of IQ Server
  2. Select the Firewall tab from the sidebar

Firewall quarantine

To view a list of all audited components:

  1. Navigate to your instance of IQ Server
  2. Select Orgs and Policies from the sidebar
  3. Select Repositories
  4. Click the link for your npm Proxy Repository

Audited component list

Viewing Results in the Terminal

To see which versions are currently installed for your project run npm list. You can use the depth parameter to view transitive dependencies.

Running npm audit will provide a list of currently installed components with detailed information on quarantined and substituted versions.

npm audit results

Additional Resources

Talk to Us

Have more questions or comments? Learn more at help.sonatype.com, join us in the Sonatype Community, and view our course catalog at learn.sonatype.com.

And visit my.sonatype.com for all things Sonatype.