HN Showcase
Back to browse
Safe-install – safer NPM installs with trusted build dependencies

Safe-install – safer NPM installs with trusted build dependencies

by gkiely·May 12, 2026·19 points·5 comments
Visit ProjectView on HN

AI Analysis

●●SolidSolve My Problem

Brings Bun-style trusted dependencies to npm without switching package managers.

Strengths
  • Moves trust decisions into version-controlled package.json instead of global config.
  • Detects exotic sub-dependencies using git: or file: protocols automatically.
Weaknesses
  • Adds an extra npm script step instead of integrating directly into the install flow.
  • Relies on users manually reviewing script output before updating the allowlist.
Target Audience

Security-conscious Node.js developers

Similar To

Bun install --trust · pnpm

Post Description

In light of the ongoing npm supply chain compromises, I built safe-install:

https://www.npmjs.com/package/@gkiely/safe-install

It brings a couple of protections I wanted from npm but are not built in.

Similar to Bun’s trusted dependencies, it lets you disable install scripts by default and define a list of dependencies that are allowed to run build/install scripts:

https://bun.com/docs/guides/install/trusted

It also supports blocking exotic sub-dependencies, similar to pnpm’s `blockExoticSubdeps` setting:

https://gajus.com/blog/3-pnpm-settings-to-protect-yourself-f...

I was hoping npm would eventually add something like this, but it does not seem to be happening soon, so I made a small package for it.

Similar Projects

Security●●●Banger

NPM install is a security hole, so we built a guard for it

Blocks malicious packages at install-time before AI agents execute them on your machine.

Big BrainSolve My Problem
Sahil121
102mo ago
Security●●Solid

New NPM Supply chain Attack?

Docker isolation + tcpdump catches malicious npm installs before they touch your machine.

Solve My ProblemBig Brain
adamgonda
2028d ago