Problem:
The project includes nonessential npm-run-all as a devDependency, which introduces an additional external package into the supply chain.
Each external dependency is a potential attack vector for supply chain attacks, which unfortunately have become more and more common lately.
Moreover each extra dependency requires their own dependencies, creating an exponential risk.
Solution:
Remove npm-run-all and refactor all npm scripts to use native npm run with the --silent flag and && operator.
-s flag suppresses the default npm output, && operator executes command in a sequence achieving the same quiet sequential execution without the extra dependency.
Benefits:
- Reduces supply chain attack surface by eliminating one external dependency
- Removes 1 package from node_modules and associated transitive dependencies
- Maintains equivalent functionality with native npm features
Problem:
The project includes nonessential
npm-run-allas adevDependency, which introduces an additional external package into the supply chain.Each external dependency is a potential attack vector for supply chain attacks, which unfortunately have become more and more common lately.
Moreover each extra dependency requires their own dependencies, creating an exponential risk.
Check
npm-run-alldependencies onnpmjs.comCheck
npm-run-alldependency tree graph onnpmgraph.js.orgSolution:
Remove
npm-run-alland refactor all npm scripts to use nativenpm runwith the--silentflag and&&operator.-sflag suppresses the default npm output,&&operator executes command in a sequence achieving the same quiet sequential execution without the extra dependency.Benefits: