1.2 KiB
1.2 KiB
created, modified, type, tags, aliases
| created | modified | type | tags | aliases | ||||
|---|---|---|---|---|---|---|---|---|
| 2026-06-01 12:45 | 2026-06-01 12:45 | note |
|
Security NPM packages tools
Check video
source_url: https://www.youtube.com/watch?v=Wq6yMdt11LM
Set minimum release age
NPM:
- file min-release-age=7 days
- project ./.npmrc
- global ~/.npmrc PNPM:
- minimumReleaseAge:1000 minutes.
- PROJECT ./.pnpn-workspace.yaml
- global ~/.config/pnpm/config.yaml BUN:
- minimumREleaseAge=604800 seconds
- project ./.ig.toml
- global $HOME/.bunfig.toml
- global $XDG_CONFIG_HOME/.bunfig.toml
##DIsable install scripts
- ignore-scipts=true
- block curated / trusted lists of packages.
Block gitbased dependecies
NPM
- allow-git=none
- allow-git=root PNPM
- blockExoticSubdps: true
- trustPolicy: no-downgrade
Scan dependecies
Ensure you use aliases so that these are use before we install. Clear package managers cache Socket Firewall source_url: https://docs.socket.dev/docs/socket-firewall-free npq source_url: https://github.com/lirantal/npq
LOCK FILES
PR can change the package url
- LockFile-Lint
Use CLEAN install commands. CI
- npm ci
- pnpm install --frozen-lockfile
- bun isntall --frozen-lockfile