playbooks / supply chain

Trust No Package

Install discipline that survives hallucinated names, squatted packages, and malicious updates.

20 minutes▲ severity if skipped: high
The duck weighs in

duck@duckaudit

Your AI just recommended a package with 12 downloads. Bold. Let us look at it together first.

how it burns you

Attackers publish malware under names AI assistants tend to invent, a trick called slopsquatting, and they compromise real popular packages too. One npm install runs arbitrary code on your machine with your credentials in reach. The package manager is the most trusting program you own.

1

Verify before you install

Thirty seconds of looking beats a compromised laptop. Check the package exists, check its age and downloads, check the repo link is real. Brand new packages with names suspiciously close to famous ones are the trap.

bash
npm view express-validator   # real: years old, millions of downloads
npm view expres-validator    # typo bait: if it exists, someone set a trap
2

Stop install scripts from running by default

Post install scripts are code execution at install time, which is exactly how most npm malware detonates. Turn them off globally and allow the rare package that truly needs them.

bash
# .npmrc
ignore-scripts=true
3

Respect the lockfile

The lockfile pins the exact code you audited. Commit it, use npm ci in CI and on deploy, and treat unexplained lockfile churn in a diff as a stop sign.

bash
npm ci   # installs exactly what the lockfile says, fails on drift
4

Let robots watch your dependencies

Dependabot or Renovate opens the patch PR the day a vulnerability drops, while npm audit gives you the picture on demand. Free, automatic, and they never get bored.

bash
npm audit --omit=dev
npm audit fix   # review the diff before you commit it
5

Prefer boring over shiny

Every dependency is a standing invitation into your build. The standard library, or a dependency you already have, beats a new package with three stars. Fewer invitations, fewer guests.

Make your AI do it

Paste this into Cursor or Claude Code from your project root.

Audit this repo's supply chain. 1) List every production dependency with its weekly downloads, age, and last publish date, flagging anything under 10k weekly downloads or under a year old. 2) Check for typo distance from famous package names. 3) Verify install scripts are disabled in .npmrc and the lockfile is committed and used in CI. 4) Run npm audit and summarize what actually matters for this app versus noise. 5) List dependencies we could delete because the stdlib or an existing dep covers them.

The 10 minute check

0/5

receipts · every claim has a source