npm-security-best-practiceslisted

# npm Security Best Practices A general reference for hardening any npm-ecosystem project (npm, pnpm, yarn, bun) against supply-chain attacks. Adapted from [lirantal/npm-security-best-practices](https://github.com/lirantal/npm-security-best-practices). Use this skill whenever you are about to add a dependency, edit install-time configuration, review a lockfile diff, or configure CI install steps. For the project-specific snapshot date, upstream commit SHA, and quarterly re-read reminder, see [references/source.md](./references/source.md). For a one-page scan-friendly summary, see [references/checklist.md](./references/checklist.md). For ready-to-paste configs, see [references/pnpm-config.md](./references/pnpm-config.md) and [references/ci-snippets.md](./references/ci-snippets.md). --- ## 1. Disable post-install scripts Lifecycle scripts (`preinstall`, `install`, `postinstall`, dependency-side `prepare`) run during `npm install` against every transitive dep. Compromised packages exfiltrate secrets or install malware from these hooks. The default-deny stance: block all of them, then allowlist exceptions. ### How to apply **npm / pnpm (≤ 9):** set `ignore-scripts=true` in `.npmrc`. Per-install override: `npm install --ignore-scripts`. **pnpm 10.x:** combine `.npmrc::ignore-scripts=true` with `pnpm-workspace.yaml::onlyBuiltDependencies: [pkg1, pkg2]` for an auditable allowlist. **pnpm 11+:** the legacy `onlyBuiltDependencies` list is replaced by an explicit `pnpm-workspa