From a security perspective, what is the primary purpose of an `.npmrc` file in a project that uses both public and private package registries?

Node.js interview question for Advanced practice.

Answer

To configure npm to always resolve certain package scopes (e.g., @my-company) from a specific private registry.

Explanation

The .npmrc file is used for configuring npm's behavior. In a security context, its most critical role when using multiple registries is to associate specific scopes with your private registry (e.g., @my-company:registry=https://private.registry.com). This tells npm to only look for packages under that scope in your private registry, effectively preventing dependency confusion attacks where an attacker might publish a malicious package with the same name to the public registry.

From a security perspective, what is the primary purpose of an `.npmrc` file in a project that uses both public and private package registries?

Answer

Explanation

Related Questions