Harden Node.js projects against supply-chain attacks — typosquatting, malicious
postinstallscripts, dependency confusion — at the package-manager level. Battle-tested config for both Yarn 4 (Berry) and npm.
This is the generic, anonymized version of an internal engineering standard I wrote and rolled out across a fleet of production repos. Every organization-specific identifier (registry hosts, feed names, repo names, ticket IDs, CI internals) is replaced with a <placeholder>, so you can drop it into any org and adapt it.
If it saves you an afternoon of reading package-manager docs — or stops one bad postinstall — it did its job. ⭐ a star helps others find it, and ideas / PRs are genuinely welcome (see Contributing).
- Engineers hardening a Node.js repo's build/CI against supply-chain risk.
- Teams migrating Yarn 1 → Yarn 4, or comparing Yarn 4 vs npm hardening.
- Anyone who wants a checklist of "what should be in the repo and why," not just a list of flags.
package-manager-security-guide.md— the full guide: what each setting does and why, the Yarn 4 ⇆ npm mapping, migration playbooks, theignore-scripts/ native-rebuild pattern, the lifecycle-hook suppression trap, monorepo file scoping, and troubleshooting.templates/yarn4/andtemplates/npm/— drop-in config files (.yarnrc.yml/.npmrc,.audit-ci.json,.lockfile-lintrc.yml, git hooks,.gitattributes, CI fragments).
- Hardened defaults:
enableScripts: false/ignore-scripts=true, checksum enforcement, strict TLS, a minimum-release-age gate (don't install packages published in the last N days — the window in which fresh malware is caught). - A native, dependency-free way to re-enable build scripts only for the packages
that genuinely need them (
dependenciesMeta.builton Yarn 4; the explicitnpm rebuildpattern on npm). - A pre-commit audit hook + a portable, once-per-machine global hook dispatcher.
- Real war stories: the silent
prebuildsuppression underignore-scripts, and the lockfile-lint hostname-only matching limitation.
| Placeholder | Replace with |
|---|---|
<your-org> |
Your Azure DevOps (or other) organization name |
<your-feed> |
Your private package feed / view name |
@yourscope |
Your private npm scope (e.g. @acme) |
<your-yarn-vg> / <your-npm-vg> |
Your CI variable-group names |
<your-jira> |
Your issue tracker base URL |
PRIVATE_NPM_TOKEN |
Your CI auth-token variable name |
The private-feed examples use Azure DevOps Artifacts, but the approach is registry-agnostic — swap the host/auth lines for GitHub Packages, Artifactory, Verdaccio, etc.
Contributions are very welcome — this is meant to be a living reference, and the supply-chain threat landscape keeps moving. Whether it's a one-line typo fix or a whole new section, I'd love the help.
Great things to contribute:
- More package managers — pnpm and Bun hardening variants (this currently covers Yarn 4 and npm).
- More registries — worked auth examples for GitHub Packages, Artifactory, Verdaccio, AWS CodeArtifact.
- Edge cases — additional native packages and their Cat 1 / Cat 2 / Cat 3 classification, tricky
dependenciesMeta/npm rebuildscenarios. - New threats & mitigations — anything the current defaults don't cover yet.
- Corrections — if something is inaccurate, out of date, or just explained badly, please flag it. Real-world experience that contradicts the guide is especially valuable.
How to contribute:
- For small fixes (typos, broken links, clarifications) — open a PR directly.
- For larger changes or new sections — open an issue first so we can talk it through.
- Be specific about why — this guide leans heavily on rationale, not just rules, so a good "because…" matters as much as the change itself.
No CLA, no ceremony. By contributing you agree your work is released under the MIT license below. Questions and "is this a good idea?" issues are welcome too — you don't need a finished PR to start a conversation.
Created and maintained by Alexander Konstantinov (@Bafff) — original author and primary contributor. This guide grew out of designing and rolling out a real supply-chain hardening standard across a production fleet of Node.js repos.
Contributions from others are credited via the repo's contributor list and Git history.
MIT — see LICENSE. Free to use, adapt, and share.