Introducing NodeSecurity: A better way to control module access!

December 29th 2018
Author profile picture

@MattHWebDesignMatt Hayward

Inspired by David Gilbertson’s recent post ( and some of the recent issues with npm packages being hijacked, I just published the first version of NodeSecurity on GitHub.

David wrote in his post…

Imagine a package, created and maintained by npm (or someone equally trustworthy and farsighted). Let’s call it @npm/permissions.
You would include this @npm/permissions package as the first import in your app, either in a file, or you run your app like node -r @npm/permissions index.js.
This would override require() to enforce the permissions stated in a package’s package.json permissions property.

So I made it happen!

How it works

NodeSecurity works by overriding the Node.JS require() function, allowing us to enforce access constraints.


Firstly include NodeSecurity in your project at the very top of your applications entrypoint (before any other requires) and create a new instance.

Note: If you’re using the ES6 imports you’ll need to create a seperate file that is imported at the entrypoint of your application. Without doing this it won’t be possible to configure NodeSecurity before any other modules are loaded.

Configure NodeSecurity

🎉 And you’re done! 🎉

All required / imported modules from this point onwards will have to be allowed by our configuration.

I need your help

NodeSecurity is no where near finished and without a doubt there is ways to bypass its security! If you’ve got any feedback, suggestions or want to contribute please reach out or submit a PR!

You can via the GitHub repo here:



The Noonification banner

Subscribe to get your daily round-up of top tech stories!