Node.js security and safety best practices on local machine

Node.js security and safety best practices on local machine


Hello, I’ve just started backend and really enjoying node.js and git/github. I just have some concerns before installing node.js on my machine… I believe that at least 2 people have already developed viruses for node.js just a a simple “proof of concept”. they posted it on github. Is there a way for us to protect ourselves when using node.js… can antivirus software and anti-malware software detect these? will firewalls help? if they’re already hiding under node.js which has already been given user privelages? just like in one of the github/medium posts… how do we scan the node repository for “safe” modules? what if an “evil” module get into the repo? thanks…

PS. or is there no real safe answer? the best is to keep a development machine separate from any other personal computer? will running it on pure ubuntu and sandboxing it like there’s no tomorrow help? thanks…


Those viruses infect other JavaScript files in the same project directory. They can’t do anything to your system. The one concern I have with NPM modules is global installation, as this requires elevated privileges. Contrary to most of the tutorials you’ll ever see, you don’t need to do this most of the time. Modules can be installed locally and run via NPM scripts. Only install globally if it’s a well know package that’s been around for a long time. Check the source code if you can.

NodeJS itself should be reasonably safe to run for development without much protection. Having a firewall to block all incoming connections is a good, easy step towards safe computing. For servers, I usually only have ports 22, 80, and 443 open - all web connections go through a proxy server (NginX) and are routed to Node, Ruby, et al as needed. All of your connections should be encrypted. Keep good backups, and encrypt those. Remember that the most reliable point of failure in your security policy is the user.


Wow… Thanks for the feed back… I just finished frontEnd here at freeCodeCamp… still barely getting the hang of git, github and node but also equally amazed at all the technology and tools at our disposal… I always liked computers but IT is not my primary profession. I have fiddled with ubuntu on my older desktop and its ip-tables and connections…but still no expert. only heard about NginX in some stackoverflow discussions .

For a beginner at the back end like myselft… so currently having an antivirus, antimalware (i think malware bytes is the most popular, a firewall and not installing things globally (with a -g) should be a safe bet at my level? I saw this you tube video where he installed things like webpack on the project folder and use the scripts part of the .json file to still be able to launch it… so that would be a safer way of using node.js?

Based on what I’ve read… they say install globally (with -g) if you want to use it via terminal and install locally if it’s part of the project folder? That’s my only worry. Will installing somethings without -g affect my projects or will the script part of the json file solve that for me as you said? I guess I don’t mind installing multiple versions of some modules if it means added security.

What modules would you recommend installing with a -g? webpack? and express? and keep other things like angular2 , babel, react in the project folder? or keep everything in the project folder and just not use --savedev so they don’t end up on my json file?

Thanks again!


That’s the way I prefer to do it, but not really for security reasons. Though it is technically more secure to avoid global installs, in practice you’re not at much risk.

You are entirely, 100% safe installing things like Webpack and Express globally. Codebases that are super popular are way too visible to be security threats. Even packages that are really small are not great vectors of attack, so I don’t see them being likely threats. I want to really emphasize the fact that Node and NPM are not substantial threats to your livelihood.

Your OS firewall is probably good enough, and if you want to run antivirus then you have lots of options (I don’t, so I can’t give any recommendations). More importantly, if you’re ever connecting to wi-fi in public areas, you should invest in a VPN service. Always use HTTPS. Keep important data encrypted and off the cloud. Assume that all proprietary software has backdoors for the NSA. Trust no one :alien:

When thinking about project dependencies, my first thought isn’t so much security as it is maintenance. When you install something like Webpack globally, you have one version that you run for all of your projects. That’s probably fine, but what happens to your project 18 months later when the latest version of Webpack is released with a change that breaks your configuration? Even if you don’t download major updates, someone else may need to clone your repo down the line, and if the proper version of Webpack isn’t specified in your package.json, they’re going to be cursing your name while hacking away at the config file. So, instead of global installs, I prefer to install everything locally with either --save or --save-dev. Some people go as far as committing their entire node_modules folder. I’m either too lazy or I have more faith in NPM than they do, so I just reinstall my dependencies each time.


wow thanks for the response. It’s been I while since I got back to the forums.

Currently learning react.js but I just stumbled upon modular programming with javascript and caching the dom as well as pubsub methods…I’m rethinking the utility of react. i believe it’s still great for really large projects that generate 500,000 <li></li> elements for example but for smaller projects I wonder if the react.js overhead is worth it? I guess i digress from the current topic of node.js security…

Anyway… thanks! and MERRY CHRISTMAS, HAPPY NEW YEAR and HAPPY HOLIDAYS… :slight_smile:


For “real” projects? Nope! But a person has to learn React somehow, and small projects are a totally reasonable way to do so. I wouldn’t bracket React’s utility to extremes, but there are definitely cases I wouldn’t use it for.