Stop risky package
installs before
they run.
SafeInstall wraps npm, pnpm, and bun: install policy runs first, then the real tool. Open source, MIT licensed. No account required. Six policy checks including Sigstore provenance verification and typo-squat detection.
Global install
One-off / CI
Node >=20 · Open source · MIT license
Package install is now an attack surface.
Supply-chain attacks through npm and similar registries are increasing. The way developers install packages has changed. The tooling has not kept up.
Package installs are an attack surface.
Lifecycle scripts run arbitrary code at install time. A single malicious dependency can exfiltrate tokens, modify files, or establish persistence — before your app even starts.
AI coding makes this worse.
When an AI assistant suggests a package, most developers install it immediately. There is no pause for research, no audit, no second opinion. The speed that makes AI coding powerful also removes the friction that used to catch bad packages.
Scanners alert after the fact.
npm audit and most security tools tell you about known vulnerabilities in packages you already installed. They do nothing about install-time script execution. They do not prevent the package from running during install.
The fix is not more dashboards.
Developers need a guardrail that blocks many risky installs before they run—policy first, then the package manager. Not only a report after the fact.
Valid signatures are not enough.
A compromised npm maintainer can publish a malicious version that cryptographically verifies — signed by a GitHub Actions workflow the attacker controls in a fork of the real repository. Scanners and signature-only checks accept it. Install-time policy with trusted publisher pinning refuses it.
Six protections. Four on by default, two opt-in.
SafeInstall evaluates policy before your package manager runs. Four checks run by default. Typo-squat detection and Sigstore provenance verification are opt-in per project via safeinstall.config.json.
Fresh registry releases
By default, registry versions newer than 72 hours are blocked (configurable via minimumReleaseAgeHours). That window is where many supply-chain publishes get noticed late.
Lifecycle scripts
Packages with preinstall, install, or postinstall scripts are blocked unless you allow those scripts per package in allowedScripts. SafeInstall still forwards --ignore-scripts to the package manager by default so installs stay non-blind.
Non-registry sources
Git, tarball, and direct URL installs are blocked unless that source type is in allowedSources. Registry, workspace, file, and directory sources are allowed by default.
Trust downgrades
Two cases: a registry dependency moves to git/url/tarball, or a new registry version introduces lifecycle scripts where the installed version had none (compared using local node_modules when present).
Typo-squat detection
Requested package names are compared against a curated list of popular npm packages via Damerau-Levenshtein distance with transposition. Close-but-not-exact matches like raect, lodsh, and axois are flagged. Opt-in via typoSquat.mode = 'warn' or 'block'. Minimum name length and per-project ignore list are configurable.
Provenance verification
Fetches the Sigstore attestation bundle for registry packages, verifies signatures against the public Sigstore trust root, checks Rekor transparency log inclusion, and extracts the source repository from the SLSA v1 provenance statement. Pin the expected owner/repo per package via trustedPublishers. Mismatches always block, even in warn mode, because a valid signature from the wrong source is what maintainer-account compromise looks like.
Catching a maintainer-compromise attack.
A valid Sigstore signature is not enough. An attacker who compromises an npm maintainer account can publish a malicious version of a package you already trust, and the attestation on that malicious version will cryptographically verify — signed by a GitHub Actions workflow the attacker controls in a fork of the real repository. SafeInstall catches this. Pin the expected source repository with provenance.trustedPublishers and any build that comes from anywhere else is blocked, even if the signature is valid.
This is the only install-time policy gate that enforces the source-repository property of an npm provenance attestation. CVE scanners look for known vulnerabilities. Content analyzers look for suspicious code. SafeInstall verifies that the cryptographic chain of trust points at the repository you agreed to trust — and refuses anything else.
SafeInstall verifies its own Sigstore attestation against its own GitHub repository via the public Sigstore transparency log.
Evaluate first. Execute second.
No registry proxy. No middleware on downloads. Policy runs locally, then the underlying tool runs as usual.
You run SafeInstall
Prefix your package manager command with safeinstall.
SafeInstall evaluates
For registry packages it uses public npm registry metadata (publish time, scripts). Project installs for pnpm/npm use the lockfile so versions match what the repo will install.
Block or allow
Policy violations exit with code 2 and print Blocked: … lines. Clean runs print Allowed: policy checks passed. then invoke the manager.
Package manager runs
On allow, your exact command runs. SafeInstall appends defaults like --ignore-scripts per packageManagerDefaults unless you change them.
Scanners report. SafeInstall runs first.
npm audit and similar tools report on known issues in dependencies you already installed. SafeInstall evaluates policy before the package manager: it can refuse installs that violate age, script, or source rules, and it forwards --ignore-scripts by default unless you change defaults — see docs for behavior.
| — | Scanners (npm audit, Snyk…) | SafeInstall |
|---|---|---|
| When it runs | After install | Before install |
| What it checks | Known CVEs in installed packages | Install policy: age, scripts, source |
| Output | Vulnerability report | Allow or block, with Blocked: … lines |
| Lifecycle scripts | Does not block install | Blocks if unallowed; default forwards --ignore-scripts to PM |
| Fresh release window | No | Yes (default 72h minimum age) |
| Registry metadata | Varies | Uses npm registry API when evaluating registry packages |
| Requires security expertise | To act on results: yes | Readable block reasons |
| Maintainer-compromise detection | No | Yes (via trusted publisher pinning) |
| Provenance verification | No | Yes (via Sigstore public trust root) |
| Typo-squat detection | No | Yes (embedded top-N list, Damerau-Levenshtein) |
Use both. They solve different problems. SafeInstall is pre-install; scanners are post-install.
Vibe coding is fast.
Blind installs are the cost.
SafeInstall is the gate.
AI assistants suggest packages in seconds. They don't check publish dates. They don't read install scripts. They don't verify the source. You type “yes” and move on.
SafeInstall adds one layer between suggestion and execution: policy. Release age, lifecycle scripts, source type, trust signals — checked before the package manager runs. You keep the speed. You lose the blind spot.
If you vibe code, this is the safety net your workflow is missing.
Works with every AI tool that suggests or runs installs
Typical vibe coding workflow
Same commands — SafeInstall in front.
Also supported: safeinstall init, safeinstall --json …, and project installs that resolve direct deps from lockfiles (pnpm / npm).
Built for developers who ship fast.
A CLI guardrail, not a platform. Scope is intentional: pre-install policy only.
Your machine, your responsibility.
- —AI-assisted workflows mean more installs and less package review
- —No security team to catch risky publishes for you
- —One global install — policy runs locally, no account needed
- —Use safeinstall check on direct dependencies before you ship
Move fast. Don't run installs blind.
- —Small teams ship quickly; one bad install can hit everyone
- —Commit safeinstall.config.json so policy matches across machines
- —Exit code 2 on block is CI-friendly when you wrap installs in pipelines
- —pnpm and npm project installs honor lockfiles — fewer surprise versions
Your AI writes the install command. You control the gate.
- —Using Cursor, Copilot, Cline, Claude Code, or Windsurf
- —AI suggestions skip the usual review instincts — SafeInstall does not
- —Same prefix (safeinstall) for npm, pnpm, and bun
- —JSON mode (--json) fits automation around agents and scripts
Free forever. Open source.
Install in 10 seconds.
Install the CLI globally or try it with npx. No account, no sign-up, no registry auth. Read the docs · View source
Node >=20 · MIT license