Dependency Confusion

Jan 1, 0001

Definition

Dependency Confusion is a security vulnerability that arises when a software project inadvertently pulls in a malicious package from a public repository instead of the intended internal or private package. This occurs when the public package has the same name as the internal one, and the package manager prioritizes the public source. This can lead to the execution of unauthorized code, potentially compromising the application and its data.

Secure Settings Example

# Example for a Node.js project using npm
# Ensure private packages are scoped and use a private registry

"dependencies": {
  "@mycompany/private-package": "1.0.0"
},
"publishConfig": {
  "registry": "https://registry.mycompany.com"
},
"scripts": {
  "preinstall": "npx npm-force-resolutions"
},
"resolutions": {
  "@mycompany/private-package": "1.0.0"
}

Insecure Settings Example

# Example for a Node.js project using npm
# Using default registry without scoping or registry specification

"dependencies": {
  "private-package": "1.0.0"
}

Dependency Confusion

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter