How to protect your Node.js applications from malicious dependencies

You have probably heard about a recent incident where a popular npm package, event-stream , included malicious code that could have affected thousands of apps (or more!). Hopefully, the attack was tailored to affect only a specific project. The original author of the library was the victim of a social engineering attack and a malicious hacker gained publishing permissions.