Show HN: Safe-install – safer NPM installs with trusted build dependencies

Hacker News Top 05/12/26, 12:30 AM Tools

Summary

A new npm package called safe-install is introduced to enhance supply chain security by allowing developers to disable install scripts by default and block exotic sub-dependencies, addressing ongoing vulnerabilities.

In light of the ongoing npm supply chain compromises, I built safe-install:<a href="https://www.npmjs.com/package/@gkiely/safe-install" rel="nofollow">https://www.npmjs.com/package/@gkiely/safe-install</a>It brings a couple of protections I wanted from npm but are not built in.Similar to Bun’s trusted dependencies, it lets you disable install scripts by default and define a list of dependencies that are allowed to run build/install scripts:<a href="https://bun.com/docs/guides/install/trusted" rel="nofollow">https://bun.com/docs/guides/install/trusted</a>It also supports blocking exotic sub-dependencies, similar to pnpm’s `blockExoticSubdeps` setting:<a href="https://gajus.com/blog/3-pnpm-settings-to-protect-yourself-from-supply-chain-attacks#2-set-blockexoticsubdeps" rel="nofollow">https://gajus.com/blog/3-pnpm-settings-to-protect-yourself-f...</a>I was hoping npm would eventually add something like this, but it does not seem to be happening soon, so I made a small package for it.

Original Article

Similar Articles

Upcoming breaking changes for NPM v12

Hacker News Top

npm v12 introduces security-related breaking changes to npm install that disable automatic execution of scripts, git dependencies, and remote URL dependencies by default. Users can prepare by upgrading to npm 11.16.0+ and reviewing warnings to explicitly opt into trusted behaviors.

Staged publishing and new install-time controls for npm

Hacker News Top

npm introduces staged publishing, requiring human approval via 2FA for package releases, and new `--allow-*` flags (file, remote, directory) to control install sources, improving supply-chain security in npm CLI 11.15.0.

@RhysSullivan: just enabled a minimum age on npm package installs for my machine, should've done this sooner but if you haven't either…

X AI KOLs Following

A developer shares a tip to configure a minimum release age for package installs to mitigate supply-chain attacks.

@DeRonin_: USE THIS GUIDE TO PROTECT YOUR COMPUTER FROM NPM HACKS THAT STEAL EVERYTHING IN ONE INSTALL TanStack, a code library us…

X AI KOLs Following

The article details a supply-chain attack on the TanStack library via NPM, offering a comprehensive guide to protect development environments by locking dependency ages, pinning versions, and auditing CI/CD pipelines and IDE extensions.

Features everyone should steal from npmx

Lobsters Hottest

npmx is an MIT-licensed alternative web frontend for the npm registry that adds security and usability features—like transitive install sizes, install-script disclosure, and outdated/vulnerable-dependency trees—spurring npmjs.com to finally ship dark mode.