Show HN: Safe-install – safer NPM installs with trusted build dependencies

<p>In light of the ongoing npm supply chain compromises, I built safe-install:<p><a href="https://www.npmjs.com/package/@gkiely/safe-install" rel="nofollow">https://www.npmjs.com/package/@gkiely/safe-install</a><p>It brings a couple of protections I wanted from npm but are not built in.<p>Similar to Bun’s trusted dependencies, it lets you disable install scripts by default and define a list of dependencies that are allowed to run build/install scripts:<p><a href="https://bun.com/docs/guides/install/trusted" rel="nofollow">https://bun.com/docs/guides/install/trusted</a><p>It also supports blocking exotic sub-dependencies, similar to pnpm’s `blockExoticSubdeps` setting:<p><a href="https://gajus.com/blog/3-pnpm-settings-to-protect-yourself-from-supply-chain-attacks#2-set-blockexoticsubdeps" rel="nofollow">https://gajus.com/blog/3-pnpm-settings-to-protect-yourself-f...</a><p>I was hoping npm would eventually add something like this, but it does not seem to be happening soon, so I made a small package for it.</p> <hr> <p>Comments URL: <a href="https://news.ycombinator.com/item?id=48102636">https://news.ycombinator.com/item?id=48102636</a></p> <p>Points: 10</p> <p># Comments: 0</p>