Show HN: Safe-NPM – only install packages that are +90 days old https://ift.tt/Wxy0jSP

Show HN: Safe-NPM – only install packages that are +90 days old This past quarter has been awash with sophisticated npm supply chain attacks like [Shai-Hulud]( https://ift.tt/kAc68OP... () and the [Chalk/debug Compromise]( https://www.wiz.io/blog/widespread-npm-supply-chain-attack-b... ). This CLI helps protect users from recently compromised packages by only downloading packages that have been public for a while (default is 90 days or older). Install: npm install -g @dendronhq/safe-npm Usage: safe-npm install react@^18 lodash How it works: - Queries npm registry for all versions matching your semver range - Filters out anything published in the last 90 days - Installs the newest "aged" version Limitations: - Won't protect against packages malicious from day one - Doesn't control transitive dependencies (yet - looking into overrides) - Delays access to legitimate new features This is meant as a 80/20 measure against recently compromised NPM packages and is not a silver bullet. Please give it a try and let me know if you have feedback. https://ift.tt/Ac7wOt4 November 24, 2025 at 03:44AM