A security-focused npm installer that protects your projects from newly compromised packages.
Why does this exist?
Supply chain attacks on npm packages are a growing threat. Attackers sometimes compromise legitimate packages by:
Stealing maintainer credentials
Publishing malicious updates to popular packages
Taking over abandoned packages
These attacks often happen suddenly—a package that was safe yesterday might be compromised today. safe-npm protects you by only installing package versions that have been publicly available for a minimum amount of time (90 days by default). This gives the security community time to discover and report malicious releases before they reach your project.
How it works
When you run safe-npm install , it:
Reads your dependencies from package.json or command-line arguments Queries the npm registry to find all available versions Filters out versions published more recently than your minimum age threshold Selects the newest version that meets both your semver requirements AND age requirements Installs the safe versions using npm
... continue reading