Show HN: Safe-NPM – only install packages that are +90 days old
18 days ago
- #npm
- #security
- #supply-chain
- safe-npm is a security-focused npm installer that protects projects from compromised packages by only installing versions that have been publicly available for a minimum of 90 days (default).
- It mitigates supply chain attacks by filtering out recently published versions, giving the security community time to detect malicious updates.
- Key features include:
- - Minimum age threshold for package versions (configurable via --min-age-days).
- - Ability to bypass age requirements for trusted packages (--ignore).
- - Strict mode to fail installations if dependencies don't meet age requirements (--strict).
- - Options to control dependency types (--dev, --prod-only).
- - Dry-run mode to preview installations (--dry-run).
- Installation methods:
- - Global installation via npm install -g @dendronhq/safe-npm.
- - Direct usage with safe-npm install.
- - Local development setup by cloning the repository and linking the binary.
- Use cases include:
- - Critical production systems where maximum security is needed (higher age thresholds).
- - CI/CD pipelines with strict dependency requirements.
- - Projects needing newer features with slightly more risk (lower age thresholds).
- Limitations:
- - Doesn't protect against packages malicious from inception.
- - Delays access to legitimate updates.
- - Requires trust in older versions' security.
- Security recommendations:
- - Combine with regular security audits (npm audit).
- - Review dependencies before adding.
- - Monitor security advisories.
- - Use lock files for reproducible builds.
- - Run in sandboxed environments.
- Requirements: Node.js 18+ and npm.