Topic analysis

Show HN: Safe-install – safer NPM installs with trusted build dependencies

Run npm installs with dependency lifecycle scripts disabled by default, then rebuild only the packages you explicitly trust. safe-install is for npm projects that want trusted dependency installs without switching package managers. npm lifecycle scripts can run arbitrary code during install. Setting ignore-scripts=true blocks that whole class of install-time execution, but it also breaks packages that legitimately need postinstall , install , or preinstall scripts to build native bindings, download binaries, or finish setup. This package keeps the default install locked down and moves script execution behind a reviewed allowlist in package.json . Optionally enable (requires 11.14.0+): You can pass npm install args through: You can run npm update through the same command: safe-install runs npm install with scripts blocked, then runs install scripts only for packages listed in trustedDependencies . If blockExoticSubDeps is set to true in package.json , safe-install also fails the install before rebuilding trusted dependencies when a transitive dependency points outside the npm registry with a git: , file: , link: , or remote tarball URL specifier. Equivalent manual flow: Supports npm install flags: Only add a package to trustedDependencies after reviewing why it needs an install script. This does not make dependency scripts safe; it makes the trust decision explicit and version-controlled.