There are a lot of evil people in the world. It really bugs me.
If you're doing any sort of software development, especially with JavaScript, you should know about supply chain attacks. This is how evil people are doing evil things.
To help prevent this, I decided to migrate my projects from npm to pnpm. Sharing how I did it in hopes it helps others.
- Install pnpm
If you're on a Mac and have Homebrew:
brew install pnpm
If you're not on a Mac, ask your preferred robot partner. They love this kind of question.
- Set secure defaults globally
pnpm config set ignore-scripts true --location=global
pnpm config set minimum-release-age 10080 --location=global
The first setting blocks the preinstall and postinstall hooks most supply chain worms use. The second one refuses to install any package version less than 7 days old. This is long enough for the security folks to catch and deal with the obvious stuff.
The TanStack attack on Sunday was detected in 20 minutes. A weeklong cooldown would've stopped it cold on every machine downstream.
- Add a .npmrc to your project root
ignore-scripts=true
minimum-release-age=10080
Commit it so the same protections apply during builds.
- Replace your lockfile
rm -rf node_modules package-lock.json
pnpm install
Commit pnpm-lock.yaml. Vercel, Netlify, and Railway auto-detect it on deploy. GitHub Actions and similar will need their workflows updated to use pnpm commands.
On my main side project this switch took about 20 minutes.
It's not bulletproof. Nothing is. But the default npm setup trusts every package update the moment it's published. That one design decision has gotten exploited over and over this year.
We can't stop evil people, but we can make their job harder.