Defining a security policy

As an Enterprise admin, you can prevent the download of insecure packages. For example, this is useful for keeping vulnerable dependencies out of your applications. At the moment, you can choose from three different security policies:

Note: packages are only blocked if they are not locally cached. Whenever you change policy, we recommend clearing your global cache (npm cache clear --force) and doing a clean install of your project (npm clean-install).

All packages are allowed by default. To change your security policy:

  1. Log in to your Enterprise instance using your temporary username and password.
  2. In the upper right corner of the page, click your profile picture, then click Site Administration. drop-down with site administration choice
  3. Click “settings”. admin panel settings button
  4. On the Settings page, under Security Policy, choose a policy. choose a security policy
  5. Optionally provide a custom message for the install logs whenever a package is blocked. custom blocking message
  6. If present, check the “I acknowledge that this policy may cause my builds to break” box. acknowledge broken builds
  7. Click “Apply Policy”.

If npm install attempts to download a package that violates the policy, developers will see an error similar to the following.

$ npm i [email protected]
npm notice Could not download lodash 1.0.0 due to policy violations. Use `npm audit fix` to upgrade this dependency.
npm ERR! code E403
npm ERR! 403 Forbidden - GET https://registry.npmjs.com/lodash/-/lodash-1.0.0.tgz

To fix this error, use npm audit fix to upgrade dependencies to versions that don’t violate policy.


< Configuring an authentication provider