Practical Guide to Securing npm Dependencies and Supply Chains

This repository is a curated guide of security best practices for working with npm, focused on reducing risks from supply chain attacks and vulnerable dependencies. It covers techniques like disabling risky install scripts, enforcing deterministic installs, auditing packages before use, delaying adoption of new releases, and avoiding blind upgrades. It also includes guidance for developers and maintainers, such as using 2FA, minimizing dependencies, and adopting secure publishing methods, aiming to make JavaScript development more resilient to increasingly common package ecosystem attacks. 

https://github.com/lirantal/npm-security-best-practices