As someone working a lot on node ecosystem with typescript, I’ve recently added some protection to my installs because of recent supply-chain attacks. Here’s what I use.
For npm, this is what I use:
# .npmrc
min-release-age=7
ignore-scripts=true
audit-level=high
prefer-offline=true
allow-git=none
It does a few simple things:
- waits 7 days before allowing a fresh release
- skips install scripts
- prefers cached packages
- blocks git-based installs
For pnpm, the same idea is smaller:
# pnpm-workspace.yaml
minimumReleaseAge: 10080 # 7 days
pnpm uses minutes here, so 10080 is still 7 days.
Bun has the same controls:
# bunfig.toml
[install]
minimumReleaseAge = 604800 # 7 days
ignoreScripts = true
prefer = "offline"
Bun uses seconds, so 604800 is 7 days.
To add one more layer, put SafeDep PMG in front of the install step. It checks packages before they land in the project.
brew install safedep/tap/pmg
pmg setup install
pmg setup doctor
pmg npm install
pmg pnpm install
pmg bun install
The config lowers the surface area. PMG helps catch the packages that still slip through.