dependencyConfusion

Rendered from docs/alerts/dependencyConfusion.md

Back to index

dependencyConfusion

Flags package names that may collide between public npm and a private registry namespace (dependency confusion risk).

Implemented in: src/lib/detection/plugins/dependency-confusion.ts
Enabled by default: no (available plugin; enable in the detection service/plugin set)

What it means

The package name matches patterns that are expected to be “private/internal”, which can be exploited if a public package of the same name is published and then pulled by mistake.

Why it matters

Dependency confusion attacks can result in installing attacker-controlled packages in CI or production when registry resolution is misconfigured.

What to do

  • Ensure .npmrc / registry config correctly scopes internal packages to your private registry.
  • Reserve/claim public package names where appropriate.
  • Consider using @scope/* naming conventions for internal packages.

Common fields

  • metadata may include which pattern(s) matched and which registry config was assumed