# JS package manager security baseline (npm, pnpm, bun) > Source: > Published: 2026-05-23 07:10:23+00:00 # JS Package Manager Security Baseline (macOS/Linux) This baseline hardens `npm`, `pnpm`, and `bun` against common supply-chain risks while keeping setup simple and reproducible. ## Recommended Minimum Versions - Node.js: `22.22.3` - npm: `11.15.0` - pnpm: `11.2.2` or newer - bun: `1.3.14` or newer ## npm Path: `~/.npmrc` ```ini registry=https://registry.npmjs.org/ ignore-scripts=true min-release-age=1 allow-git=none ``` ## pnpm Global config paths: - Linux: `~/.config/pnpm/config.yaml` - macOS: `~/Library/Preferences/pnpm/config.yaml` ```yaml blockExoticSubdeps: true ignoreScripts: true minimumReleaseAge: 2880 strictDepBuilds: true trustPolicy: no-downgrade ``` Compatibility `rc` paths: - Linux: `~/.config/pnpm/rc` - macOS: `~/Library/Preferences/pnpm/rc` ```ini minimum-release-age=2880 ignore-scripts=true ``` Project override note: - Do not rely on `package.json -> pnpm.overrides`. - Put overrides in root `pnpm-workspace.yaml`: ```yaml overrides: fast-xml-builder: "" ``` ## bun Path: `~/.bunfig.toml` ```toml [install] minimumReleaseAgeExcludes = [] minimumReleaseAge = 172800 ignoreScripts = true auto = "disable" ``` ## Quick Verification ```bash node -v npm -v pnpm -v bun --version npm config get ignore-scripts npm config get min-release-age npm config get allow-git ``` ## Notes - `npm` user config in `~/.npmrc` persists across `nvm` Node version switches. - If `pnpm` shows an older version in some shells, ensure `PNPM_HOME/bin` is first in `PATH`. - If your policy is npm-only, remove/disable `yarn`, `pnpm`, and `bun` on that machine.