10 Ways safe-install Protects Your npm Projects from Supply Chain Attacks

Introduction

The npm ecosystem has become a prime target for supply chain attacks, with malicious packages sneaking in through compromised dependencies or malicious install scripts. While the community has responded with tools like Bun's trusted dependencies and pnpm's exotic sub-dependency blocking, npm itself has been slow to adopt these safeguards. Enter safe-install, a lightweight npm package that brings two crucial protections to your development workflow: disabling install scripts by default and blocking exotic sub-dependencies. In this listicle, we explore 10 things you need to know about safe-install and how it can help harden your npm projects against threats.

1. The Growing Threat of npm Supply Chain Attacks

Supply chain attacks on npm have surged in recent years. Attackers publish seemingly legitimate packages that include malicious install scripts, which execute during npm install. These scripts can steal credentials, install backdoors, or exfiltrate sensitive data. With millions of monthly downloads, even a single compromised package can affect countless projects. The incident with event-stream and the eslint-scope breach highlight the urgency. safe-install directly addresses this by giving you control over which dependencies run build/install scripts.

2. What Is safe-install?

safe-install is a small npm package authored by @gkiely that acts as a security layer on top of npm's default installation process. Its primary goal is to prevent malicious script execution without sacrificing compatibility with legitimate packages. Unlike npm's built-in ignore-scripts flag, safe-install allows you to selectively enable scripts only for trusted dependencies. It also blocks exotic sub-dependencies—unexpected or rarely-used package names that often indicate malicious activity. This dual approach mirrors features found in Bun and pnpm, but works within the standard npm workflow.

3. How safe-install Disables Install Scripts by Default

By default, npm runs all lifecycle scripts (preinstall, install, postinstall) for every dependency. safe-install flips this: it blocks all scripts unless explicitly allowed. This is similar to Bun's trusted dependencies concept. When you use safe-install, you define a list of dependencies that are permitted to run their install scripts. All other packages will have their scripts silently skipped. This drastically reduces the attack surface because even if a compromised package is added, its malicious script never executes. The list is defined in your package.json using a special configuration key.

4. Defining Trusted Dependencies (Similar to Bun)

To enable scripts for specific packages, you add them to a trustedDependencies array in your package.json or via a config in safe-install. For example, if your project depends on bcrypt which requires a build step, you’d list it there. All other packages—even transitive dependencies—will have their scripts blocked. This model gives you fine-grained control without the all-or-nothing approach of --ignore-scripts. It mirrors the behavior of Bun's trusted dependencies feature, ensuring you only trust what you explicitly review.

5. Blocking Exotic Sub-dependencies (Similar to pnpm)

Another layer of protection in safe-install is the ability to block exotic sub-dependencies. This concept, popularized by pnpm's blockExoticSubdeps setting, prevents packages with unusual or suspicious names (like typosquatted names or single-letter packages) from being installed. safe-install implements a similar filter: you can define a blocklist of package name patterns or rely on heuristics that flag packages with unexpected scope, length, or registry origin. This stops many supply chain attacks that rely on convincing developers to install a look-alike package.

6. Why npm Lacks These Built-in Protections

Despite numerous community requests, npm has not integrated script-blocking or exotic sub-dependency filtering into its core. The npm team has cited complexity, backward compatibility, and the need for minimal disruption. However, the ecosystem has evolved, and malicious actors have become more sophisticated. safe-install fills this gap by providing an optional, opt-in mechanism. You don’t have to wait for npm to change—you can adopt safe-install today. Its lightweight footprint means it doesn’t add significant overhead to your CI/CD pipeline or local development.

7. The Simplicity of safe-install – A Small Package

One of the philosophy points of safe-install is simplicity. The package itself is minimal—just enough logic to intercept npm’s install process, apply filters, and execute or skip scripts accordingly. It doesn’t override npm commands; instead, it provides a wrapper or a postinstall hook. The code is open source and auditable. This simplicity reduces potential bugs and makes it easy for security-conscious developers to review. Additionally, because it’s just a package, you can include it as a devDependency without altering your project’s overall architecture.

8. Installing and Using safe-install

Getting started with safe-install is straightforward. Install it via npm: npm install --save-dev @gkiely/safe-install. Then, configure it in your package.json by adding a "safe-install" field. For example: "safe-install": { "trustedDependencies": ["bcrypt"], "blockExoticSubdeps": true }. You then replace your usual npm install with npm run safe-install or integrate it into your scripts section. The package also includes a CLI command for one-off installations. Comprehensive documentation is available on the npm page.

9. Comparing safe-install to Other Solutions (Bun, pnpm)

Bun and pnpm already offer similar protections natively. Bun’s trusted dependencies allow script control per package, and pnpm’s blockExoticSubdeps blocks suspicious packages. However, safe-install is designed specifically for the npm ecosystem—it doesn’t require switching package managers. If your team uses npm for legacy or compatibility reasons, safe-install brings parity with these modern alternatives. Moreover, it’s a much smaller dependency than adopting a whole new package manager. For teams that can migrate to Bun or pnpm, native solutions may be better integrated, but safe-install offers a bridge for those stuck on npm.

10. The Future of npm Security – What Can Be Done

The creation of safe-install highlights a broader need: npm must evolve its security model. While community packages fill the gap, widespread adoption of a third-party tool is limited. The ideal solution would be built into the npm client itself, perhaps as an opt-in feature like --strict-scripts or an enhanced security policy in .npmrc. Until then, developers should adopt layered defenses: use safe-install, audit dependencies with tools like npm audit, and maintain a strict lockfile. safe-install is not a silver bullet, but it’s a practical step toward safer installations.

Conclusion

Supply chain attacks are not going away, and the npm ecosystem continues to be a prime vector. safe-install provides two essential protections—install script control and exotic sub-dependency blocking—in a simple, npm-compatible package. By following the 10 points outlined above, you can better understand how this tool complements existing security practices. While waiting for native npm changes, adopting safe-install is a proactive move that reduces risk without sacrificing convenience. Whether you’re a solo developer or part of a large team, consider adding safe-install to your security toolkit.