decent supply chain attack prevention, examples for unix shells & powershell

The article provides configuration snippets for Unix shells (`.zshrc`, `.bashrc`) and PowerShell profiles to wrap package manager commands (`npm`, `pnpm`, `bun`, `yarn`) with the Socket Firewall (`sfw`) tool for supply chain attack prevention. It also includes optional settings to block lifecycle scripts and enforce a minimum package release age for each package manager. Additionally, the article recommends disabling automatic updates for VS Code extensions to reduce supply chain risks.

00-supply-chain-safety.sh This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters Show hidden characters install sfw first: https://socket.dev/blog/introducing-socket-firewall bun/pnpm/npm/yarn install -g sfw add the uncommented snippet below to ~/.zshrc, ~/.bashrc, ~/.profile, or ~/.shrc reload your shell config: . ~/.zshrc . ~/.bashrc . ~/.profile . ~/.shrc also... just disable vscode extension auto updates you don't need them: https://nx.dev/blog/nx-console-v18-95-0-postmortem ctrl + shift + p - "auto up" - "Extensions: Disable Auto Update for all Extensions" sfw package manager { local manager="$1" local subcommand="${2:-}" shift if command -v sfw /dev/null 2 &1; then print -u2 "sfw is not installed or not on PATH" return 127 fi case "$subcommand" in i|install|add|ci|update|up|upgrade|exec|dlx|create command sfw "$manager" "$@" ;; command "$manager" "$@" ;; esac } npm { sfw package manager npm "$@" } pnpm { sfw package manager pnpm "$@" } bun { sfw package manager bun "$@" } yarn { sfw package manager yarn "$@" } bunx { command sfw bunx "$@" } npx { command sfw bunx "$@" } pnpx { command sfw bunx "$@" } Extra: block lifecycle scripts / enforce minimum release age per package manager npm: ~/.npmrc ignore-scripts=true min-release-age=3 days requires npm v11.10.0 or above bun: ~/.bunfig.toml install ignoreScripts = true minimumReleaseAge = 259200 seconds 3 days pnpm: ~/.config/pnpm/rc ignore-scripts=true minimum-release-age=4320 minutes 3 days yarn: ~/.yarnrc.yml enableScripts: false npmMinimalAgeGate: 3d Microsoft.PowerShell profile.ps1 This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters Show hidden characters install sfw first: https://socket.dev/blog/introducing-socket-firewall bun/pnpm/npm/yarn install -g sfw open ur ps profile: New-Item -ItemType File -Force $PROFILE notepad $PROFILE add the uncommented snippet below to the profile then reload it: . $PROFILE also... just disable vscode extension auto updates you don't need them: https://nx.dev/blog/nx-console-v18-95-0-postmortem ctrl + shift + p - "auto up" - "Extensions: Disable Auto Update for all Extensions" function Invoke-SfwPackageManager { param string $Manager, Parameter ValueFromRemainingArguments = $true string $Args $Subcommand = if $Args.Count -gt 0 { $Args 0 } else { "" } if -not Get-Command sfw -ErrorAction SilentlyContinue { Write-Error "sfw is not installed or not on PATH" return } switch $Subcommand { { $ -in @ "i", "install", "add", "ci", "update", "up", "upgrade", "exec", "dlx", "create" } { & sfw $Manager @Args return } default { & $Manager @Args return } } } function npm { Invoke-SfwPackageManager npm @args } function pnpm { Invoke-SfwPackageManager pnpm @args } function bun { Invoke-SfwPackageManager bun @args } function yarn { Invoke-SfwPackageManager yarn @args } function bunx { & sfw bunx @args } function npx { & sfw bunx @args } function pnpx { & sfw bunx @args } Extra: block lifecycle scripts / enforce minimum release age per package manager npm: %USERPROFILE%\.npmrc ignore-scripts=true min-release-age=3 days requires npm v11.10.0 or above bun: %USERPROFILE%\.bunfig.toml install ignoreScripts = true minimumReleaseAge = 259200 seconds 3 days pnpm: %USERPROFILE%\.config\pnpm\rc ignore-scripts=true minimum-release-age=4320 minutes 3 days yarn: %USERPROFILE%\.yarnrc.yml enableScripts: false npmMinimalAgeGate: 3d zz-fish-supply-chain-safety.fish This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters Show hidden characters install sfw first: https://socket.dev/blog/introducing-socket-firewall bun/pnpm/npm/yarn install -g sfw add the uncommented snippet below to ~/.config/fish/config.fish reload your shell config: source ~/.config/fish/config.fish also... just disable vscode extension auto updates you don't need them: https://nx.dev/blog/nx-console-v18-95-0-postmortem ctrl + shift + p - "auto up" - "Extensions: Disable Auto Update for all Extensions" function sfw package manager set manager $argv 1 set args $argv 2..-1 set subcommand "" if test count $args -gt 0 set subcommand $args 1 end if not command -q sfw echo "sfw is not installed or not on PATH" &2 return 127 end switch $subcommand case i install add ci update up upgrade exec dlx create command sfw $manager $args case ' ' command $manager $args end end function npm sfw package manager npm $argv end function pnpm sfw package manager pnpm $argv end function bun sfw package manager bun $argv end function yarn sfw package manager yarn $argv end function bunx command sfw bunx $argv end function npx command sfw bunx $argv end function pnpx command sfw bunx $argv end Extra: block lifecycle scripts / enforce minimum release age per package manager npm: ~/.npmrc ignore-scripts=true min-release-age=3 days requires npm v11.10.0 or above bun: ~/.bunfig.toml install ignoreScripts = true minimumReleaseAge = 259200 seconds 3 days pnpm: ~/.config/pnpm/rc ignore-scripts=true minimum-release-age=4320 minutes 3 days yarn: ~/.yarnrc.yml enableScripts: false npmMinimalAgeGate: 3d