npm-security-best-practices
OfficialHarden npm installs against supply-chain attacks
Software Engineering#npm#supply chain security#dependency confusion#lifecycle scripts#CI security#package hardening#npx security
AuthorAradotso
Version1.0.0
Installs0
System Documentation
What problem does it solve?
npm package installs are frequently abused through malicious lifecycle scripts, dependency confusion, and compromised or newly published packages, which can lead to supply-chain compromise in Node.js projects.
Core Features & Use Cases
- Secure npm/pnpm/Bun install configuration: Provides hardened defaults such as disabling lifecycle scripts, blocking git-based dependencies, enforcing minimum release age, and applying pnpm trust policies.
- Mitigate common supply-chain attack patterns: Covers dependency confusion prevention via scoped registries and publish configuration, and reduces risk from typosquatting via safer npx usage.
- Security tooling integration: Recommends practical scanners and workflow tools (e.g., Snyk, npq, and Socket CLI) to identify vulnerabilities and issues before and during installs.
Quick Start
Configure your project to disable npm lifecycle scripts, block git dependencies, and enforce a minimum package release age using .npmrc (and then validate with an automated vulnerability scan before running installs).
Dependency Matrix
Required Modules
None requiredComponents
Standard package💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: npm-security-best-practices Download link: https://github.com/Aradotso/security-skills/archive/main.zip#npm-security-best-practices Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 471,000+ vetted skills library on demand.