cd /news/developer-tools/js-package-manager-security-baseline… · home topics developer-tools article
[ARTICLE · art-12872] src=gist.github.com ↗ pub= topic=developer-tools verified=true sentiment=· neutral

JS package manager security baseline (npm, pnpm, bun)

This article provides a security baseline configuration for the JavaScript package managers npm, pnpm, and bun, designed to mitigate supply-chain risks. It specifies minimum version requirements and recommends settings such as disabling script execution, enforcing a minimum release age for packages, and blocking exotic subdependencies. The guide also includes platform-specific configuration file paths and notes on managing overrides and tool compatibility.

read1 min views21 publishedMay 23, 2026

This baseline hardens npm, pnpm, and bun against common supply-chain risks while keeping setup simple and reproducible.

  • Node.js: 22.22.3
  • npm: 11.15.0
  • pnpm: 11.2.2 or newer
  • bun: 1.3.14 or newer

npm #

Path: ~/.npmrc

registry=https://registry.npmjs.org/
ignore-scripts=true
min-release-age=1
allow-git=none

pnpm #

Global config paths:

  • Linux: ~/.config/pnpm/config.yaml
  • macOS: ~/Library/Preferences/pnpm/config.yaml
blockExoticSubdeps: true
ignoreScripts: true
minimumReleaseAge: 2880
strictDepBuilds: true
trustPolicy: no-downgrade

Compatibility rc paths:

  • Linux: ~/.config/pnpm/rc
  • macOS: ~/Library/Preferences/pnpm/rc
minimum-release-age=2880
ignore-scripts=true

Project override note:

  • Do not rely on package.json -> pnpm.overrides.
  • Put overrides in root pnpm-workspace.yaml:
overrides:
  fast-xml-builder: "<patched-version>"

bun #

Path: ~/.bunfig.toml

[install]
minimumReleaseAgeExcludes = []
minimumReleaseAge = 172800
ignoreScripts = true
auto = "disable"

Quick Verification #

node -v
npm -v
pnpm -v
bun --version

npm config get ignore-scripts
npm config get min-release-age
npm config get allow-git

Notes #

  • npm user config in ~/.npmrc persists across nvm Node version switches.
  • If pnpm shows an older version in some shells, ensure PNPM_HOME/bin is first in PATH.
  • If your policy is npm-only, remove/disable yarn, pnpm, and bun on that machine.
── more in #developer-tools 4 stories · sorted by recency
── more on @npm 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/js-package-manager-s…] indexed:0 read:1min 2026-05-23 ·