JS package manager security baseline (npm, pnpm, bun)

This article provides a security baseline configuration for the JavaScript package managers npm, pnpm, and bun, designed to mitigate supply-chain risks. It specifies minimum version requirements and recommends settings such as disabling script execution, enforcing a minimum release age for packages, and blocking exotic subdependencies. The guide also includes platform-specific configuration file paths and notes on managing overrides and tool compatibility.

JS Package Manager Security Baseline macOS/Linux This baseline hardens npm , pnpm , and bun against common supply-chain risks while keeping setup simple and reproducible. Recommended Minimum Versions - Node.js: 22.22.3 - npm: 11.15.0 - pnpm: 11.2.2 or newer - bun: 1.3.14 or newer npm Path: ~/.npmrc ini registry=https://registry.npmjs.org/ ignore-scripts=true min-release-age=1 allow-git=none pnpm Global config paths: - Linux: ~/.config/pnpm/config.yaml - macOS: ~/Library/Preferences/pnpm/config.yaml yaml blockExoticSubdeps: true ignoreScripts: true minimumReleaseAge: 2880 strictDepBuilds: true trustPolicy: no-downgrade Compatibility rc paths: - Linux: ~/.config/pnpm/rc - macOS: ~/Library/Preferences/pnpm/rc ini minimum-release-age=2880 ignore-scripts=true Project override note: - Do not rely on package.json - pnpm.overrides . - Put overrides in root pnpm-workspace.yaml : yaml overrides: fast-xml-builder: "<patched-version " bun Path: ~/.bunfig.toml toml install minimumReleaseAgeExcludes = minimumReleaseAge = 172800 ignoreScripts = true auto = "disable" Quick Verification bash node -v npm -v pnpm -v bun --version npm config get ignore-scripts npm config get min-release-age npm config get allow-git Notes - npm user config in ~/.npmrc persists across nvm Node version switches. - If pnpm shows an older version in some shells, ensure PNPM HOME/bin is first in PATH . - If your policy is npm-only, remove/disable yarn , pnpm , and bun on that machine.