Before adding a dependency, invest a few minutes evaluating it. Every package you adopt becomes a long-term commitment — it affects bundle size, maintenance burden, upgrade paths, and security surface. This page provides a structured evaluation workflow. For security-specific vetting (supply chain, typosquatting, install scripts), see the npm Security Checklist.
What is npm
What are npm scripts?
This page is a practical distillation of the OWASP NPM Security Cheat Sheet, organized by workflow phase. For the why — attack vectors, incident history, and defense rationale — read npm Supply Chain Attacks first; this page is the what to do reference, with particular emphasis on publisher-side hygiene.
A supply chain attack in the npm ecosystem occurs when an attacker compromises a package — or the infrastructure around it — to inject malicious code into applications that depend on it. npm is uniquely exposed to this class of attack: the registry hosts over 3 million packages, the average project pulls in hundreds of transitive dependencies, many packages are maintained by a single person, and npm install executes arbitrary install scripts by default. This page covers what has happened, how these attacks work, and what you can do to defend against them.
npm Workspaces is npm's native monorepo feature: one root package that manages multiple nested packages in a single repository, with a single install step and a single lockfile. It has been supported since npm v7, so every modern Node.js installation has it out of the box.
Publishing packages is how you share reusable code — whether with the open-source community on npm, within your organization via private registries, or across projects in a monorepo.
This guide walks you through publishing a package to the npm registry from scratch.