Skip to content

DOMAIN:SUPPLY_CHAIN

OWNER: julian
UPDATED: 2026-03-18
SCOPE: all client projects, internal infrastructure

CONTEXT

  • average Node.js app: 200-800+ dependencies (direct + transitive)
  • 80%+ of application code = third-party packages
  • supply chain attacks increased 742% 2019-2022 (Sonatype)
  • EU CRA mandates SBOM and vulnerability handling from 2027

SBOM

STANDARDS

CYCLONEDX (OWASP): security-focused, richer vulnerability correlation. FORMAT: JSON, XML
SPDX (ISO/IEC 5962:2021, Linux Foundation): license-focused. FORMAT: JSON, RDF, tag-value
RECOMMENDATION: CycloneDX for security, SPDX for license compliance

TOOLS

TOOL: syft (Anchore) — multi-ecosystem, produces CycloneDX + SPDX
TOOL: trivy — SBOM as part of broader scanning
TOOL: npm sbom (npm 9+) — built-in, produces CycloneDX or SPDX

CRA_REQUIREMENTS (from 2027)

  • SBOM mandatory for products with digital elements on EU market
  • must include: component name, version, supplier, known vulnerabilities
  • must be current throughout product lifetime
  • available to market surveillance authorities on request

SLSA (Supply-chain Levels for Software Artifacts)

LEVEL_1: build process documented → provenance exists
LEVEL_2: hosted build + signed provenance → tampering protection
LEVEL_3: hardened build platform + non-falsifiable provenance → insider threat protection
LEVEL_4: two-person review + hermetic build → compromised developer protection

IMPLEMENTATION:
- L1: ensure CI/CD builds documented and reproducible
- L2: hosted CI (GitHub Actions/GitLab CI) + sign artifacts with Sigstore/cosign
- L3: isolated build envs + non-falsifiable provenance attestations

DEPENDENCY_MANAGEMENT

BEFORE_ADOPTING_NEW_DEP

CHECK: maintenance health — last commit? open issues ratio? active maintainers?
CHECK: security history — past CVEs? response time?
CHECK: license — compatible? (AGPL in SaaS = problematic)
CHECK: scope — needs filesystem/network access? (Socket.dev checks this)
CHECK: alternatives — smaller, better-maintained package available?
CHECK: transitive deps — what does it pull in? (npm ls)

VERSION_MANAGEMENT

RULE: lock files MUST be committed (package-lock.json, yarn.lock, pnpm-lock.yaml)
RULE: use npm ci (not npm install) in CI — respects lock file exactly
RULE: pin exact versions for critical deps
TOOL: Renovate for automated update PRs (more configurable than Dependabot)
POLICY: auto-merge patch updates for well-tested deps
POLICY: manual review for major version bumps

MONITORING

TOOL: trivy for continuous vuln scanning in CI
TOOL: socket.dev for supply chain attack detection
TOOL: GitHub secret scanning for leaked credentials
POLICY: automated alerts on maintainer changes for critical deps

LICENSE_COMPLIANCE

RISK_LEVELS

MIT, BSD-2, BSD-3, ISC: LOW — attribution in NOTICE file
APACHE_2.0: LOW — attribution + patent grant notice
MPL_2.0: MEDIUM — copyleft for modified files only
LGPL_2.1/3.0: MEDIUM — copyleft for library mods; dynamic linking usually OK
GPL_2.0/3.0: HIGH — copyleft extends to linked code — may require open-sourcing
AGPL_3.0: CRITICAL — copyleft extends to network use (SaaS) — almost certainly requires open-sourcing
UNLICENSED/CUSTOM: UNKNOWN — cannot use without explicit permission

FOR_GE_SAAS

IF AGPL dependency THEN flag immediately — may require releasing source code
IF GPL THEN depends on linking strategy — escalate to human before using
SCAN_WITH: license-checker, Snyk, or FOSSA
MAINTAIN: NOTICE file with all attributions

BUILD_PIPELINE_SECURITY

CI_CD_HARDENING

CHECK: least-privilege CI runners — no full cluster access
CHECK: ephemeral build environments — fresh container per build
CHECK: pinned action versions in GitHub Actions (use SHA not tags)
CHECK: secrets via CI secret management (not env files)
CHECK: signed commits verified in CI
CHECK: protected branches — require reviews before merge

CONTAINER_BUILD

CHECK: multi-stage builds — separate build deps from runtime
CHECK: minimal base images — distroless or Alpine
CHECK: no secrets in images — use runtime injection
CHECK: image scanning — trivy in CI before push
CHECK: image signing — cosign after successful build
CHECK: COPY specific files — never COPY . . without .dockerignore

INCIDENT:DEPENDENCY_CVE

  1. assess reachability — is vulnerable function called from our code?
  2. check exploit availability — public exploit? (KEV catalog, ExploitDB)
  3. determine severity — CVSS + reachability + data sensitivity
  4. remediate by SLA — CRITICAL (reachable): 24h. HIGH: 7d. MEDIUM: 30d.
  5. update SBOM
  6. notify affected clients if production was exposed

INCIDENT:PACKAGE_COMPROMISE (event-stream, ua-parser-js scenarios)

  1. immediately pin to last known good version
  2. audit git history of package for malicious changes
  3. check if malicious version was installed in any environment
  4. rotate any credentials that may have been exfiltrated
  5. report to npm/registry + NCSC-NL if significant

READ_ALSO: domains/security/tools.md, domains/eu-regulation/index.md (CRA section)