{"slug": "js-package-manager-security-baseline-npm-pnpm-bun", "title": "JS package manager security baseline (npm, pnpm, bun)", "summary": "This article provides a security baseline configuration for the JavaScript package managers npm, pnpm, and bun, designed to mitigate supply-chain risks. It specifies minimum version requirements and recommends settings such as disabling script execution, enforcing a minimum release age for packages, and blocking exotic subdependencies. The guide also includes platform-specific configuration file paths and notes on managing overrides and tool compatibility.", "body_md": "# JS Package Manager Security Baseline (macOS/Linux)\n\nThis baseline hardens `npm`, `pnpm`, and `bun` against common supply-chain risks while keeping setup simple and reproducible.\n\n## Recommended Minimum Versions\n\n- Node.js: `22.22.3`\n- npm: `11.15.0`\n- pnpm: `11.2.2` or newer\n- bun: `1.3.14` or newer\n\n## npm\n\nPath: `~/.npmrc`\n\n```ini\nregistry=https://registry.npmjs.org/\nignore-scripts=true\nmin-release-age=1\nallow-git=none\n```\n\n## pnpm\n\nGlobal config paths:\n\n- Linux: `~/.config/pnpm/config.yaml`\n- macOS: `~/Library/Preferences/pnpm/config.yaml`\n\n```yaml\nblockExoticSubdeps: true\nignoreScripts: true\nminimumReleaseAge: 2880\nstrictDepBuilds: true\ntrustPolicy: no-downgrade\n```\n\nCompatibility `rc` paths:\n\n- Linux: `~/.config/pnpm/rc`\n- macOS: `~/Library/Preferences/pnpm/rc`\n\n```ini\nminimum-release-age=2880\nignore-scripts=true\n```\n\nProject override note:\n\n- Do not rely on `package.json -> pnpm.overrides`.\n- Put overrides in root `pnpm-workspace.yaml`:\n\n```yaml\noverrides:\n  fast-xml-builder: \"<patched-version>\"\n```\n\n## bun\n\nPath: `~/.bunfig.toml`\n\n```toml\n[install]\nminimumReleaseAgeExcludes = []\nminimumReleaseAge = 172800\nignoreScripts = true\nauto = \"disable\"\n```\n\n## Quick Verification\n\n```bash\nnode -v\nnpm -v\npnpm -v\nbun --version\n\nnpm config get ignore-scripts\nnpm config get min-release-age\nnpm config get allow-git\n```\n\n## Notes\n\n- `npm` user config in `~/.npmrc` persists across `nvm` Node version switches.\n- If `pnpm` shows an older version in some shells, ensure `PNPM_HOME/bin` is first in `PATH`.\n- If your policy is npm-only, remove/disable `yarn`, `pnpm`, and `bun` on that machine.\n", "url": "https://wpnews.pro/news/js-package-manager-security-baseline-npm-pnpm-bun", "canonical_source": "https://gist.github.com/qiweiii/84e19489bc7f2a07c2ad52b5cbe42c80", "published_at": "2026-05-23 07:10:23+00:00", "updated_at": "2026-05-24 01:36:11.736241+00:00", "lang": "en", "topics": ["developer-tools", "cybersecurity", "open-source"], "entities": ["npm", "pnpm", "bun", "Node.js"], "alternates": {"html": "https://wpnews.pro/news/js-package-manager-security-baseline-npm-pnpm-bun", "markdown": "https://wpnews.pro/news/js-package-manager-security-baseline-npm-pnpm-bun.md", "text": "https://wpnews.pro/news/js-package-manager-security-baseline-npm-pnpm-bun.txt", "jsonld": "https://wpnews.pro/news/js-package-manager-security-baseline-npm-pnpm-bun.jsonld"}}