SafeInstall – local install-time guardrails for NPM/pnpm/bun

Name: SafeInstall – local install-time guardrails for NPM/pnpm/bun
Availability: InStock
Author: MichaelLabitzke

by MichaelLabitzke·Apr 14, 2026·2 points·0 comments

Visit Project View on HN

AI Analysis

●●●BangerSolve My ProblemBold Bet

Blocks risky npm installs before they run, unlike npm audit.

Strengths

•Policy checks run before package manager executes any lifecycle scripts.
•Blocks fresh registry releases to avoid immediate supply-chain compromise windows.
•Sigstore provenance verification pins packages to trusted publisher sources.

Weaknesses

•Wrapping package managers might break complex CI/CD pipelines unexpectedly.
•Opt-in checks like typo-squat detection require manual configuration setup.

Post Description

Hey HN — after the Axios attack I went looking for something that could help against this kind of install-time risk. I didn’t find a tool that did what I wanted, so I built one. SafeInstall is a local CLI for npm, pnpm, and bun. It checks policy before the package manager runs. Especially now, when tons of people are building with AIs like Cursor and Claude and either give them full rights or just hit enter on every prompt, I thought it was important to build a guardrail before the install happens.

By default it: blocks very fresh registry releases blocks lifecycle scripts unless explicitly allowed blocks git, tarball, and URL installs by default catches trust downgrades, like registry-to-git changes or newly introduced install scripts

Optional checks: typo-squat detection Sigstore provenance verification with publisher/repo pinning, so a package can be tied to an expected source instead of accepting any valid signature

It’s MIT licensed, runs locally, and doesn’t require an account or signup. Repo: https://github.com/Mickdownunder/SafeInstall Website: https://safeinstall.dev I’m interested in feedback on the policy model and on which checks should or shouldn’t be enabled by default.