| ▲ | Show HN: Safe-install – safer NPM installs with trusted build dependencies(npmjs.com) | |||||||
| 17 points by gkiely a day ago | 5 comments | ||||||||
In light of the ongoing npm supply chain compromises, I built safe-install: https://www.npmjs.com/package/@gkiely/safe-install It brings a couple of protections I wanted from npm but are not built in. Similar to Bun’s trusted dependencies, it lets you disable install scripts by default and define a list of dependencies that are allowed to run build/install scripts: https://bun.com/docs/guides/install/trusted It also supports blocking exotic sub-dependencies, similar to pnpm’s `blockExoticSubdeps` setting: https://gajus.com/blog/3-pnpm-settings-to-protect-yourself-f... I was hoping npm would eventually add something like this, but it does not seem to be happening soon, so I made a small package for it. | ||||||||
| ▲ | jaen 11 hours ago | parent | next [-] | |||||||
but... why not just use pnpm? It's generally a straightforward migration. It has dependency cooldowns, build scripts disabled by default, and the setting you mentioned. | ||||||||
| ||||||||
| ▲ | pjmlp a day ago | parent | prev | next [-] | |||||||
The solution already exists. Nexus, Artifactory, and many others. Security minded organisations don't allow cowboy installs into projects, the systems are configured to use internal repos and only IT validated packages got uploaded into them. Still it might be of value to single devs. | ||||||||
| ||||||||
| ▲ | edoceo a day ago | parent | prev [-] | |||||||
Yet again I'm asking folk to look at this artifact mirror that was Show HN a few months ago. https://github.com/artifact-keeper It's currently my favourite package gate keeper - after a few years of self-built jank | ||||||||