The Supply Chain Problem
Your security is only as strong as your weakest dependency. One compromised npm package can affect millions of sites (see event-stream, ua-parser-js incidents).
How to Protect Yourself
Dependency Security:
- Lock versions (package-lock.json)
- Run npm audit regularly
- Use Snyk or similar for monitoring
- Review updates before applying
Third-Party Scripts:
- Use Subresource Integrity (SRI)
- Self-host critical scripts
- Monitor for changes
CDNs:
- Use SRI hashes
- Have fallback sources
Check Your External Resources
Our security scanner identifies third-party resources loading on your site and checks for SRI implementation. Scan your site.