Hey HN — after the Axios attack I went looking for something that could help against this kind of install-time risk. I didn’t find a tool that did what I wanted, so I built one.
SafeInstall is a local CLI for npm, pnpm, and bun. It checks policy before the package manager runs.
Especially now, when tons of people are building with AIs like Cursor and Claude and either give them full rights or just hit enter on every prompt, I thought it was important to build a guardrail before the install happens.
By default it: blocks very fresh registry releases blocks lifecycle scripts unless explicitly allowed blocks git, tarball, and URL installs by default catches trust downgrades, like registry-to-git changes or newly introduced install scripts
Optional checks: typo-squat detection Sigstore provenance verification with publisher/repo pinning, so a package can be tied to an expected source instead of accepting any valid signature
It’s MIT licensed, runs locally, and doesn’t require an account or signup. Repo: https://github.com/Mickdownunder/SafeInstall Website: https://safeinstall.dev I’m interested in feedback on the policy model and on which checks should or shouldn’t be enabled by default.