{"slug": "decent-supply-chain-attack-prevention-examples-for-unix-shells-powershell", "title": "decent supply chain attack prevention, examples for unix shells & powershell", "summary": "The article provides configuration snippets for Unix shells (`.zshrc`, `.bashrc`) and PowerShell profiles to wrap package manager commands (`npm`, `pnpm`, `bun`, `yarn`) with the Socket Firewall (`sfw`) tool for supply chain attack prevention. It also includes optional settings to block lifecycle scripts and enforce a minimum package release age for each package manager. Additionally, the article recommends disabling automatic updates for VS Code extensions to reduce supply chain risks.", "body_md": "00-supply-chain-safety.sh\n\n This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.\n \nLearn more about bidirectional Unicode characters\n\n \n Show hidden characters\n\n# install sfw first: (https://socket.dev/blog/introducing-socket-firewall)\n\n# bun/pnpm/npm/yarn install -g sfw\n\n# add the uncommented snippet below to ~/.zshrc, ~/.bashrc, ~/.profile, or ~/.shrc\n\n# reload your shell config:\n\n# . ~/.zshrc\n\n# . ~/.bashrc\n\n# . ~/.profile\n\n# . ~/.shrc\n\n# also... just disable vscode extension auto updates you don't need them: (https://nx.dev/blog/nx-console-v18-95-0-postmortem)\n\n# ctrl + shift + p -> \"auto up\" -> \"Extensions: Disable Auto Update for all Extensions\"\n\n_sfw_package_manager() {\n\n local manager=\"$1\"\n\n local subcommand=\"${2:-}\"\n\n shift\n\n if ! command -v sfw >/dev/null 2>&1; then\n\n print -u2 \"sfw is not installed or not on PATH\"\n\n return 127\n\n fi\n\n case \"$subcommand\" in\n\n i|install|add|ci|update|up|upgrade|exec|dlx|create)\n\n command sfw \"$manager\" \"$@\"\n\n ;;\n\n *)\n\n command \"$manager\" \"$@\"\n\n ;;\n\n esac\n\n}\n\nnpm() { _sfw_package_manager npm \"$@\" }\n\npnpm() { _sfw_package_manager pnpm \"$@\" }\n\nbun() { _sfw_package_manager bun \"$@\" }\n\nyarn() { _sfw_package_manager yarn \"$@\" }\n\nbunx() { command sfw bunx \"$@\" }\n\nnpx() { command sfw bunx \"$@\" }\n\npnpx() { command sfw bunx \"$@\" }\n\n# Extra: block lifecycle scripts / enforce minimum release age per package manager\n\n# npm: ~/.npmrc\n\n# ignore-scripts=true\n\n# min-release-age=3 # days (requires npm v11.10.0 or above)\n\n# bun: ~/.bunfig.toml\n\n# [install]\n\n# ignoreScripts = true\n\n# minimumReleaseAge = 259200 # seconds (3 days)\n\n# pnpm: ~/.config/pnpm/rc\n\n# ignore-scripts=true\n\n# minimum-release-age=4320 # minutes (3 days)\n\n# yarn: ~/.yarnrc.yml\n\n# enableScripts: false\n\n# npmMinimalAgeGate: 3d\n\nMicrosoft.PowerShell_profile.ps1\n\n This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.\n \nLearn more about bidirectional Unicode characters\n\n \n Show hidden characters\n\n# install sfw first: (https://socket.dev/blog/introducing-socket-firewall)\n\n# bun/pnpm/npm/yarn install -g sfw\n\n#\n\n# open ur ps profile:\n\n# New-Item -ItemType File -Force $PROFILE\n\n# notepad $PROFILE\n\n#\n\n# add the uncommented snippet below to the profile then reload it:\n\n# . $PROFILE\n\n#\n\n# also... just disable vscode extension auto updates you don't need them: (https://nx.dev/blog/nx-console-v18-95-0-postmortem)\n\n# ctrl + shift + p -> \"auto up\" -> \"Extensions: Disable Auto Update for all Extensions\"\n\nfunction Invoke-SfwPackageManager {\n\n param(\n\n [string] $Manager,\n\n [Parameter(ValueFromRemainingArguments = $true)]\n\n [string[]] $Args\n\n )\n\n $Subcommand = if ($Args.Count -gt 0) { $Args[0] } else { \"\" }\n\n if (-not (Get-Command sfw -ErrorAction SilentlyContinue)) {\n\n Write-Error \"sfw is not installed or not on PATH\"\n\n return\n\n }\n\n switch ($Subcommand) {\n\n { $_ -in @(\"i\", \"install\", \"add\", \"ci\", \"update\", \"up\", \"upgrade\", \"exec\", \"dlx\", \"create\") } {\n\n & sfw $Manager @Args\n\n return\n\n }\n\n default {\n\n & $Manager @Args\n\n return\n\n }\n\n }\n\n}\n\nfunction npm { Invoke-SfwPackageManager npm @args }\n\nfunction pnpm { Invoke-SfwPackageManager pnpm @args }\n\nfunction bun { Invoke-SfwPackageManager bun @args }\n\nfunction yarn { Invoke-SfwPackageManager yarn @args }\n\nfunction bunx { & sfw bunx @args }\n\nfunction npx { & sfw bunx @args }\n\nfunction pnpx { & sfw bunx @args }\n\n# Extra: block lifecycle scripts / enforce minimum release age per package manager\n\n# npm: %USERPROFILE%\\.npmrc\n\n# ignore-scripts=true\n\n# min-release-age=3 # days (requires npm v11.10.0 or above)\n\n# bun: %USERPROFILE%\\.bunfig.toml\n\n# [install]\n\n# ignoreScripts = true\n\n# minimumReleaseAge = 259200 # seconds (3 days)\n\n# pnpm: %USERPROFILE%\\.config\\pnpm\\rc\n\n# ignore-scripts=true\n\n# minimum-release-age=4320 # minutes (3 days)\n\n# yarn: %USERPROFILE%\\.yarnrc.yml\n\n# enableScripts: false\n\n# npmMinimalAgeGate: 3d\n\nzz-fish-supply-chain-safety.fish\n\n This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.\n \nLearn more about bidirectional Unicode characters\n\n \n Show hidden characters\n\n# install sfw first: (https://socket.dev/blog/introducing-socket-firewall)\n\n# bun/pnpm/npm/yarn install -g sfw\n\n# add the uncommented snippet below to ~/.config/fish/config.fish\n\n# reload your shell config:\n\n# source ~/.config/fish/config.fish\n\n# also... just disable vscode extension auto updates you don't need them: (https://nx.dev/blog/nx-console-v18-95-0-postmortem)\n\n# ctrl + shift + p -> \"auto up\" -> \"Extensions: Disable Auto Update for all Extensions\"\n\nfunction _sfw_package_manager\n\n set manager $argv[1]\n\n set args $argv[2..-1]\n\n set subcommand \"\"\n\n if test (count $args) -gt 0\n\n set subcommand $args[1]\n\n end\n\n if not command -q sfw\n\n echo \"sfw is not installed or not on PATH\" >&2\n\n return 127\n\n end\n\n switch $subcommand\n\n case i install add ci update up upgrade exec dlx create\n\n command sfw $manager $args\n\n case '*'\n\n command $manager $args\n\n end\n\nend\n\nfunction npm\n\n _sfw_package_manager npm $argv\n\nend\n\nfunction pnpm\n\n _sfw_package_manager pnpm $argv\n\nend\n\nfunction bun\n\n _sfw_package_manager bun $argv\n\nend\n\nfunction yarn\n\n _sfw_package_manager yarn $argv\n\nend\n\nfunction bunx\n\n command sfw bunx $argv\n\nend\n\nfunction npx\n\n command sfw bunx $argv\n\nend\n\nfunction pnpx\n\n command sfw bunx $argv\n\nend\n\n# Extra: block lifecycle scripts / enforce minimum release age per package manager\n\n# npm: ~/.npmrc\n\n# ignore-scripts=true\n\n# min-release-age=3 # days (requires npm v11.10.0 or above)\n\n# bun: ~/.bunfig.toml\n\n# [install]\n\n# ignoreScripts = true\n\n# minimumReleaseAge = 259200 # seconds (3 days)\n\n# pnpm: ~/.config/pnpm/rc\n\n# ignore-scripts=true\n\n# minimum-release-age=4320 # minutes (3 days)\n\n# yarn: ~/.yarnrc.yml\n\n# enableScripts: false\n\n# npmMinimalAgeGate: 3d", "url": "https://wpnews.pro/news/decent-supply-chain-attack-prevention-examples-for-unix-shells-powershell", "canonical_source": "https://gist.github.com/Umbranoxio/84bb7f284ce8250108274f54dafef98b", "published_at": "2026-05-22 13:41:21+00:00", "updated_at": "2026-05-22 22:06:17.941137+00:00", "lang": "en", "topics": ["cybersecurity", "developer-tools", "open-source"], "entities": ["Socket.dev", "Socket Firewall", "npm", "pnpm", "bun", "yarn", "VS Code", "Nx Console"], "alternates": {"html": "https://wpnews.pro/news/decent-supply-chain-attack-prevention-examples-for-unix-shells-powershell", "markdown": "https://wpnews.pro/news/decent-supply-chain-attack-prevention-examples-for-unix-shells-powershell.md", "text": "https://wpnews.pro/news/decent-supply-chain-attack-prevention-examples-for-unix-shells-powershell.txt", "jsonld": "https://wpnews.pro/news/decent-supply-chain-attack-prevention-examples-for-unix-shells-powershell.jsonld"}}