Skip to content
Blog Article

Npm Supply Chain Attacks and Our Approach with raclette

Article

What happened?

In mid-September 2025, the largest supply chain attack in npm’s history was discovered. It got the name Shai-Hulud. Attackers compromised popular npm packages and introduced malware that spread automatically with the goal to steal developers GitHub tokens to reproduce itself.

There are already enough technical write-ups available, for example from JFrog or SecurityBoulevard.

We won’t repeat all the details here. What matters to us: the incident is a clear reminder of how fragile trust in the npm ecosystem can be, and why dependency management must be treated as a core security topic.

npm Security Considerations

npm is the nodejs 3rd party library ecosystem. For better and worse, it is bigger and more technically advanced than most. It’s basically unavoidable in most JavaScript projects. But especially because of its size, it comes with security challenges that go beyond most other platforms.

  • Scale : There simply are millions of packages, and tens of millions new versions each year, and almost every package has a handful direct dependencies.

  • Automation : Installations are fully automated, meaning a single compromised package can affect thousands of projects before anyone notices.

  • Limits of human diligence : Manual reviews are essential, but without automated checks like npm audit , failures are guaranteed over a project’s lifetime.

The basic mitigations are well-known:

  • reduce exposure by removing unused dependencies,
  • audit regularly with the public audit tooling of package managers,
  • consider a private registry if you can afford the overhead,
  • and above all, rely on fixed versions instead of version ranges.

We will expand on these points in a dedicated security how-to post, but this much is clear: discipline in dependency management is the only way to stay ahead of large-scale threats like Shai-Hulud.

How we approach this in raclette

raclette is not “just another npm package” – it is the foundation for entire applications. That makes our approach to dependency management stricter than average.

During the Shai-Hulud incident, there was a theoretical risk: because some of our packages still allowed version ranges ( ^ ), a freshly compromised dependency could have been pulled in by developers who installed raclette at exactly the wrong moment. Already deployed applications were safe, since they always rely on fixed versions.

Still, this event accelerated a change we had already planned: all @raclettejs packages now use fixed, audited versions only.

For every release we:

  • run audits through the public tooling of the package managers (yarn audit),
  • cross-check lockfiles to ensure integrity,
  • and keep our own packages vulnerability-free.

This way, raclette itself aims to not become a supply chain risk for the applications built on top of it.

And additionally, since Shai-Hulud began with some stolen credentials, of course all our credentials related to our npm publishing process are well secured and we use multi factor authentication whenever possible.

What’s next

We’re working with DISQU GmbH , a startup that’s building tools to measure digital sovereignty, to add their auditing features directly into raclette. Their approach looks at more than just known security issues. They check things like how active the community is, how often packages get updated, and the overall health of the ecosystem.

This fits perfectly with our "security from the start" idea. Most frameworks make you handle dependency security yourself, but we want to build these tools right into raclette. This helps you understand what packages you’re actually adding to your projects. Whether you’re just starting out or building real applications, you’ll get clear information about how stable and trustworthy your dependencies are.

We’ve all seen how bad security attacks can be, and nobody is completely safe. We’re not just making another framework – we’re building an ecosystem that helps you make better choices about the code you depend on.

Stay updated

We’ll continue to share updates on how raclette integrates security as a core principle and much more.

  • Follow our progress on GitLab
  • Subscribe to our newsletter for updates
  • Explore raclette at raclettejs.com

Published on September 19, 2025

Back to all content More articles