Rules Hub

Coding Rules Library

← Back to all rules

Rule priority, scope & exceptions

Use this to align rules with the senior-level structure (P0/P1/P2, scope, exceptions/tradeoffs).

PriorityP1 — maintainability, architecture, long-term qualityScopeUniversal — language-agnostic, broadly applicable

Exceptions / tradeoffs (EN)Iznimke / tradeoffi (HR)

fullstack ruleP1universalStack: general

supply-chaindependency-confusionnpmrcregistrysecretsowasp-a06

Pin private scopes to their registry and reference auth tokens from the environment

Map private scopes to your private registry to prevent dependency-confusion, and keep registry auth tokens in env vars (${VAR}) rather than literal values in .npmrc.

PR: owasp-security-canonCreated: Jun 17, 2026

Bad example

Old codejson

1	`# .npmrc with a hardcoded token and no scope pinning`
2	`//npm.pkg.github.com/:_authToken=ghp_aBcD1234RealTokenCommittedToGit`
3
4	`# Private package referenced with no scope→registry mapping, so it resolves`
5	`# against the PUBLIC registry — an attacker can publish a same-named public`
6	`# package and win (dependency confusion).`

Explanation (EN)

A literal token in .npmrc gets committed and leaks the moment the repo is cloned or shared. Without a scope→registry mapping, a private dependency can be resolved from the public registry, letting an attacker hijack it by publishing a same-named package — the dependency-confusion attack.

Objašnjenje (HR)

Doslovni token u .npmrc se commita i procuri cim se repo klonira ili podijeli. Bez mapiranja scope→registry, privatna ovisnost moze se razrijesiti s javnog registryja, sto napadacu omogucuje otmicu objavom istoimenog paketa — napad dependency confusion.

Good example

New codejson

1	`# .npmrc — scope pinned to private registry, token from env`
2	`@startsiden:registry=https://npm.pkg.github.com/`
3	`//npm.pkg.github.com/:_authToken=${NPM_AUTH_TOKEN}`
4	`engine-strict=true`
5
6	`# NPM_AUTH_TOKEN is provided by CI / the shell, never written into the file.`
7	`# Every @startsiden/* package resolves only from the private registry.`

Explanation (EN)

Pinning `@startsiden:registry` forces those packages to resolve only from the private registry, closing the dependency-confusion vector. The `${NPM_AUTH_TOKEN}` interpolation keeps the actual credential in the environment, so the committed .npmrc carries no secret.

Objašnjenje (HR)

Pinanje `@startsiden:registry` prisiljava te pakete da se razrjesavaju samo s privatnog registryja, zatvarajuci vektor dependency confusion. Interpolacija `${NPM_AUTH_TOKEN}` drzi stvarni kredencijal u okruzenju, pa commitani .npmrc ne nosi nikakvu tajnu.

Exceptions / Tradeoffs (EN)

None for the token-in-env rule. Scope pinning applies wherever you consume private/internal packages; a purely public-dependency project has no scope to pin.

Iznimke / Tradeoffi (HR)

Nema iznimke za pravilo token-u-env. Pinanje scope-a vrijedi gdje god koristis privatne/interne pakete; projekt s iskljucivo javnim ovisnostima nema scope za pinanje.

Login required