1. Avoid publishing secrets to the npm registry
2. Enforce the lockfile
3. Minimize attack surfaces by ignoring run-scripts
4. Assess npm project health
5. Audit for vulnerabilities in open source dependencies

Click through for those tips plus 5 more and a downloadable cheat sheet. Good stuff 👍