2 min read

My minimal Node config for supply-chain protection

As someone working a lot on node ecosystem with typescript, I’ve recently added some protection to my installs because of recent supply-chain attacks. Here’s what I use.

For npm, this is what I use:

# .npmrc
min-release-age=7
ignore-scripts=true
audit-level=high
prefer-offline=true
allow-git=none

It does a few simple things:

  • waits 7 days before allowing a fresh release
  • skips install scripts
  • prefers cached packages
  • blocks git-based installs

For pnpm, the same idea is smaller:

# pnpm-workspace.yaml
minimumReleaseAge: 10080 # 7 days

pnpm uses minutes here, so 10080 is still 7 days.

Bun has the same controls:

# bunfig.toml
[install]
minimumReleaseAge = 604800 # 7 days
ignoreScripts = true
prefer = "offline"

Bun uses seconds, so 604800 is 7 days.

To add one more layer, put SafeDep PMG in front of the install step. It checks packages before they land in the project.

brew install safedep/tap/pmg
pmg setup install
pmg setup doctor

pmg npm install
pmg pnpm install
pmg bun install

The config lowers the surface area. PMG helps catch the packages that still slip through.


🎉 Interested in Frontend or Indie-hacking?

I talk about the latest in frontend, along with my experience in building various (Indie) side-projects