Supply Chain

Installing a package with a name one character off from a popular library can install malware instead of the real package.

Dependencies that haven't been updated in 2+ years are unlikely to receive security patches when new vulnerabilities are discovered.

npm postinstall scripts run automatically with your system permissions during npm install, making them a common vector for malware.

Private internal packages without a scope prefix can be hijacked by publishing a higher-versioned public package with the same name.

Without a lockfile, npm install resolves the latest compatible version of every dependency — which can introduce a newly compromised package on your next deploy.