[{"data":1,"prerenderedAt":410},["ShallowReactive",2],{"blog-best-practices/third-party":3},{"id":4,"title":5,"body":6,"category":385,"date":386,"dateModified":387,"description":388,"draft":389,"extension":390,"faq":391,"featured":389,"headerVariant":395,"image":396,"keywords":396,"meta":397,"navigation":398,"ogDescription":399,"ogTitle":396,"path":400,"readTime":401,"schemaOrg":402,"schemaType":403,"seo":404,"sitemap":405,"stem":406,"tags":407,"twitterCard":408,"__hash__":409},"blog/blog/best-practices/third-party.md","Third-Party Integration Security: APIs, SDKs, and Dependencies",{"type":7,"value":8,"toc":374},"minimark",[9,16,25,30,33,52,67,145,149,152,161,165,168,177,181,184,193,197,200,208,228,232,235,244,250,294,316,320,323,343,362],[10,11,12],"tldr",{},[13,14,15],"p",{},"The #1 third-party security best practice is auditing dependencies before adding them. Use lockfiles and pin versions. Scan for vulnerabilities automatically. Apply principle of least privilege to API keys. Have fallback plans for service outages. The security of your app includes the security of everything it depends on.",[17,18,19],"quotable-box",{},[20,21,22],"blockquote",{},[13,23,24],{},"\"The security of your application is only as strong as its weakest dependency.\"",[26,27,29],"h2",{"id":28},"best-practice-1-audit-dependencies-before-adding-3-min","Best Practice 1: Audit Dependencies Before Adding 3 min",[13,31,32],{},"Evaluate security before adding new dependencies:",[34,35,36,40,43,46,49],"ul",{},[37,38,39],"li",{},"Check maintenance status (recent commits, releases)",[37,41,42],{},"Review open security issues and CVEs",[37,44,45],{},"Check download counts and community adoption",[37,47,48],{},"Review the dependency's own dependencies",[37,50,51],{},"Verify the package is the official one (typosquatting)",[53,54,56],"code-block",{"label":55},"Dependency audit commands",[57,58,63],"pre",{"className":59,"code":61,"language":62},[60],"language-text","# npm - check for vulnerabilities\nnpm audit\nnpm audit --audit-level=high\n\n# Check package info\nnpm info package-name\n\n# See dependency tree\nnpm ls package-name\n\n# Yarn\nyarn audit\n\n# pnpm\npnpm audit\n\n# Python\npip-audit\nsafety check\n\n# Snyk (comprehensive)\nsnyk test\n","text",[64,65,61],"code",{"__ignoreMap":66},"",[68,69,70,86],"table",{},[71,72,73],"thead",{},[74,75,76,80,83],"tr",{},[77,78,79],"th",{},"Red Flag",[77,81,82],{},"Risk",[77,84,85],{},"Action",[87,88,89,101,112,123,134],"tbody",{},[74,90,91,95,98],{},[92,93,94],"td",{},"No updates in 2+ years",[92,96,97],{},"Unmaintained, vulnerabilities",[92,99,100],{},"Find alternative",[74,102,103,106,109],{},[92,104,105],{},"Few downloads",[92,107,108],{},"Less vetted, possible typosquat",[92,110,111],{},"Verify legitimacy",[74,113,114,117,120],{},[92,115,116],{},"Many open security issues",[92,118,119],{},"Known vulnerabilities",[92,121,122],{},"Assess severity",[74,124,125,128,131],{},[92,126,127],{},"Excessive permissions",[92,129,130],{},"Over-privileged access",[92,132,133],{},"Review necessity",[74,135,136,139,142],{},[92,137,138],{},"Obfuscated code",[92,140,141],{},"Hidden malicious code",[92,143,144],{},"Avoid",[26,146,148],{"id":147},"best-practice-2-lock-dependencies-2-min","Best Practice 2: Lock Dependencies 2 min",[13,150,151],{},"Prevent unexpected updates from introducing vulnerabilities:",[53,153,155],{"label":154},"Lockfile management",[57,156,159],{"className":157,"code":158,"language":62},[60],"# Always commit lockfiles\ngit add package-lock.json  # npm\ngit add yarn.lock          # Yarn\ngit add pnpm-lock.yaml     # pnpm\n\n# Use exact versions in package.json\n{\n  \"dependencies\": {\n    \"express\": \"4.18.2\",        // Exact version\n    \"lodash\": \"^4.17.21\"        // Avoid caret for security-critical\n  }\n}\n\n# Install from lockfile in CI/CD\nnpm ci                    # Not npm install\nyarn install --frozen-lockfile\npnpm install --frozen-lockfile\n\n# Enable Dependabot or Renovate for updates\n# .github/dependabot.yml\nversion: 2\nupdates:\n  - package-ecosystem: \"npm\"\n    directory: \"/\"\n    schedule:\n      interval: \"weekly\"\n    open-pull-requests-limit: 10\n",[64,160,158],{"__ignoreMap":66},[26,162,164],{"id":163},"best-practice-3-minimize-permissions-2-min","Best Practice 3: Minimize Permissions 2 min",[13,166,167],{},"Give third-party services only necessary access:",[53,169,171],{"label":170},"Least privilege for API keys",[57,172,175],{"className":173,"code":174,"language":62},[60],"// WRONG: Using admin/root API keys\nconst stripe = new Stripe(process.env.STRIPE_SECRET_KEY);  // Full access\n\n// CORRECT: Use restricted keys where possible\n// Stripe: Create restricted keys with specific permissions\n// - Can only create charges\n// - Cannot access customer data\n// - Cannot modify account settings\n\n// AWS: Use IAM roles with minimal permissions\n{\n  \"Effect\": \"Allow\",\n  \"Action\": [\n    \"s3:GetObject\",\n    \"s3:PutObject\"\n  ],\n  \"Resource\": \"arn:aws:s3:::my-bucket/uploads/*\"\n  // Not s3:* or arn:aws:s3:::*\n}\n\n// GitHub: Use fine-grained personal access tokens\n// - Specific repositories only\n// - Read-only where possible\n// - Short expiration\n\n// Firebase: Use security rules, not admin SDK when possible\n// Client SDK respects rules; admin SDK bypasses them\n",[64,176,174],{"__ignoreMap":66},[26,178,180],{"id":179},"best-practice-4-handle-third-party-failures-3-min","Best Practice 4: Handle Third-Party Failures 3 min",[13,182,183],{},"Do not let external service failures crash your app:",[53,185,187],{"label":186},"Resilient third-party calls",[57,188,191],{"className":189,"code":190,"language":62},[60],"import CircuitBreaker from 'opossum';\n\n// Circuit breaker for external APIs\nconst paymentBreaker = new CircuitBreaker(processPayment, {\n  timeout: 10000,           // 10 second timeout\n  errorThresholdPercentage: 50,\n  resetTimeout: 30000,      // Try again after 30s\n});\n\npaymentBreaker.fallback(() => {\n  // Queue for retry or show user-friendly error\n  return { status: 'pending', message: 'Payment processing delayed' };\n});\n\npaymentBreaker.on('open', () => {\n  alertOps('Payment provider circuit breaker opened');\n});\n\n// Timeout wrapper for any external call\nasync function withTimeout(promise, ms, fallback) {\n  const timeout = new Promise((_, reject) =>\n    setTimeout(() => reject(new Error('Timeout')), ms)\n  );\n\n  try {\n    return await Promise.race([promise, timeout]);\n  } catch (error) {\n    if (fallback) return fallback;\n    throw error;\n  }\n}\n\n// Usage\nconst userData = await withTimeout(\n  thirdPartyApi.getUser(userId),\n  5000,\n  { name: 'Unknown', cached: true }\n);\n",[64,192,190],{"__ignoreMap":66},[26,194,196],{"id":195},"best-practice-5-secure-third-party-scripts-2-min","Best Practice 5: Secure Third-Party Scripts 2 min",[13,198,199],{},"Client-side scripts are particularly risky:",[53,201,203],{"label":202},"Secure third-party script loading",[57,204,206],{"className":205,"code":66,"language":62},[60],[64,207,66],{"__ignoreMap":66},[34,209,210,213,216,219,222,225],{},[37,211,212],{},"Use SRI hashes for all external scripts",[37,214,215],{},"Implement strict CSP to limit script sources",[37,217,218],{},"Load non-critical scripts asynchronously",[37,220,221],{},"Sandbox third-party iframes",[37,223,224],{},"Review third-party scripts periodically",[37,226,227],{},"Self-host critical scripts when possible",[26,229,231],{"id":230},"best-practice-6-monitor-third-party-security-2-min","Best Practice 6: Monitor Third-Party Security 2 min",[13,233,234],{},"Stay informed about vulnerabilities in your dependencies:",[53,236,238],{"label":237},"Automated vulnerability monitoring",[57,239,242],{"className":240,"code":241,"language":62},[60],"# GitHub: Enable Dependabot alerts\n# Settings > Security > Code security and analysis\n# Enable: Dependency graph, Dependabot alerts, Dependabot security updates\n\n# Snyk in CI/CD\n# .github/workflows/security.yml\n- name: Run Snyk to check for vulnerabilities\n  uses: snyk/actions/node@master\n  env:\n    SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}\n  with:\n    args: --severity-threshold=high\n\n# npm audit in CI\n- name: Security audit\n  run: npm audit --audit-level=high\n\n# Socket.dev for supply chain attacks\n# Detects typosquatting, malicious packages, etc.\n- name: Socket Security\n  uses: socketsecurity/socket-action@v1\n",[64,243,241],{"__ignoreMap":66},[245,246,247],"info-box",{},[13,248,249],{},"Supply Chain Attacks:\nAttackers increasingly target popular packages. The event-stream incident, ua-parser-js compromise, and colors.js sabotage show that even popular packages can become vectors. Use lockfiles, monitor for unusual updates, and consider tools like Socket.dev that analyze package behavior.",[245,251,252,255],{},[13,253,254],{},"External Resources:",[34,256,257,266,273,280,287],{},[37,258,259],{},[260,261,265],"a",{"href":262,"rel":263},"https://docs.npmjs.com/cli/commands/npm-audit",[264],"nofollow","npm audit documentation",[37,267,268],{},[260,269,272],{"href":270,"rel":271},"https://snyk.io/learn/open-source-security/",[264],"Snyk Open Source Security Guide",[37,274,275],{},[260,276,279],{"href":277,"rel":278},"https://owasp.org/www-project-dependency-check/",[264],"OWASP Dependency-Check",[37,281,282],{},[260,283,286],{"href":284,"rel":285},"https://socket.dev/npm/package/overview",[264],"Socket.dev Package Analysis",[37,288,289],{},[260,290,293],{"href":291,"rel":292},"https://docs.github.com/en/code-security/dependabot",[264],"GitHub Dependabot documentation",[295,296,297,304,310],"faq-section",{},[298,299,301],"faq-item",{"question":300},"Should I vendor (copy) dependencies?",[13,302,303],{},"Vendoring provides maximum control but means you are responsible for updates. It is useful for critical dependencies or when you need to patch them. For most dependencies, use lockfiles and automated update tools instead.",[298,305,307],{"question":306},"How do I handle a vulnerability in a dependency?",[13,308,309],{},"Check if a patched version exists and update. If not, check for workarounds or mitigations. If the vulnerable code path is not used by your app, document and accept the risk temporarily. For critical vulnerabilities with no fix, consider removing or replacing the dependency.",[298,311,313],{"question":312},"Should I trust AI-generated dependency recommendations?",[13,314,315],{},"AI tools can suggest outdated or non-existent packages (hallucinations). Always verify that recommended packages exist, are actively maintained, and are the official version. Check npm/PyPI directly before installing anything.",[26,317,319],{"id":318},"further-reading","Further Reading",[13,321,322],{},"Put these practices into action with our step-by-step guides.",[34,324,325,331,337],{},[37,326,327],{},[260,328,330],{"href":329},"/blog/how-to/add-security-headers","Add security headers to your app",[37,332,333],{},[260,334,336],{"href":335},"/blog/checklists/pre-deployment-security-checklist","Pre-deployment security checklist",[37,338,339],{},[260,340,342],{"href":341},"/blog/getting-started/first-scan","Run your first security scan",[344,345,346,352,357],"related-articles",{},[347,348],"related-card",{"description":349,"href":350,"title":351},"Secure CI/CD practices","/blog/best-practices/deployment","Deployment Security",[347,353],{"description":354,"href":355,"title":356},"Secure API integration","/blog/best-practices/api-design","API Security",[347,358],{"description":359,"href":360,"title":361},"Protect API keys","/blog/best-practices/secrets","Secrets Management",[363,364,367,371],"cta-box",{"href":365,"label":366},"/","Start Free Scan",[26,368,370],{"id":369},"scan-your-dependencies","Scan Your Dependencies",[13,372,373],{},"Check for vulnerabilities in your third-party dependencies.",{"title":66,"searchDepth":375,"depth":375,"links":376},2,[377,378,379,380,381,382,383,384],{"id":28,"depth":375,"text":29},{"id":147,"depth":375,"text":148},{"id":163,"depth":375,"text":164},{"id":179,"depth":375,"text":180},{"id":195,"depth":375,"text":196},{"id":230,"depth":375,"text":231},{"id":318,"depth":375,"text":319},{"id":369,"depth":375,"text":370},"best-practices","2026-02-05","2026-02-25","Third-party security best practices. Learn how to safely integrate external APIs, evaluate SDK security, manage dependencies, and limit third-party risk.",false,"md",[392,393,394],{"question":300,"answer":303},{"question":306,"answer":309},{"question":312,"answer":315},"vibe-green",null,{},true,"Integrate third-party services securely while managing supply chain risk.","/blog/best-practices/third-party","13 min read","[object Object]","Article",{"title":5,"description":388},{"loc":400},"blog/best-practices/third-party",[],"summary_large_image","hZ6B1AtKF9ajiiyMGUfDb_P-FhGblAAyZlB0uFn-4dc",1775843925098]