This baseline hardens npm, pnpm, and bun against common supply-chain risks while keeping setup simple and reproducible.
Recommended Minimum Versions #
- Node.js:
22.22.3 - npm:
11.15.0 - pnpm:
11.2.2or newer - bun:
1.3.14or newer
npm #
Path: ~/.npmrc
registry=https://registry.npmjs.org/
ignore-scripts=true
min-release-age=1
allow-git=none
pnpm #
Global config paths:
- Linux:
~/.config/pnpm/config.yaml - macOS:
~/Library/Preferences/pnpm/config.yaml
blockExoticSubdeps: true
ignoreScripts: true
minimumReleaseAge: 2880
strictDepBuilds: true
trustPolicy: no-downgrade
Compatibility rc paths:
- Linux:
~/.config/pnpm/rc - macOS:
~/Library/Preferences/pnpm/rc
minimum-release-age=2880
ignore-scripts=true
Project override note:
- Do not rely on
package.json -> pnpm.overrides. - Put overrides in root
pnpm-workspace.yaml:
overrides:
fast-xml-builder: "<patched-version>"
bun #
Path: ~/.bunfig.toml
[install]
minimumReleaseAgeExcludes = []
minimumReleaseAge = 172800
ignoreScripts = true
auto = "disable"
Quick Verification #
node -v
npm -v
pnpm -v
bun --version
npm config get ignore-scripts
npm config get min-release-age
npm config get allow-git
Notes #
npmuser config in~/.npmrcpersists acrossnvmNode version switches.- If
pnpmshows an older version in some shells, ensurePNPM_HOME/binis first inPATH. - If your policy is npm-only, remove/disable
yarn,pnpm, andbunon that machine.