snpmv2026.1.7

Security

Security features and best practices

View as MarkdownView source

snpm includes security features to protect your projects from malicious packages and supply chain attacks.

Minimum Version Age

A unique security feature that protects against zero-day malicious packages.

How It Works

Configure snpm to ignore package versions published within the last N days:

export SNPM_MIN_PACKAGE_AGE_DAYS=7

With this setting, snpm will only install package versions that are at least 7 days old.

Why This Matters

Zero-Day Protection - Malicious packages are often caught and removed within days of publication. By waiting, you avoid installing them.

Broken Release Protection - Hastily published releases with critical bugs are usually fixed quickly. Waiting helps you skip these problematic versions.

Supply Chain Security - Compromised maintainer accounts often publish malicious versions immediately. A waiting period gives the community time to detect and report issues.

Configuration

# Wait 7 days (recommended for production)
export SNPM_MIN_PACKAGE_AGE_DAYS=7

# Wait 3 days (balanced approach)
export SNPM_MIN_PACKAGE_AGE_DAYS=3

# No waiting (development)
export SNPM_MIN_PACKAGE_AGE_DAYS=0

Trade-offs

Pros:

  • Protection against zero-day malicious packages
  • Avoid broken releases
  • Time for community review

Cons:

  • Can't use brand new packages immediately
  • May delay security patches (though most security patches are for older versions)

Lockfile Security

The snpm-lock.yaml file ensures you install the exact same versions every time:

# In CI, use frozen lockfile
snpm install --frozen-lockfile

This prevents unexpected updates that could introduce vulnerabilities.

Registry Authentication

Secure Token Storage

Use snpm login to securely store registry credentials:

snpm login

Tokens are stored in your system's credential store, not in plain text.

Private Registries

For private registries, use scoped authentication:

snpm login --scope @myorg --registry https://npm.mycompany.com

Environment Variables

For CI/CD, use environment variables:

export NPM_TOKEN=your-token-here
export SNPM_REGISTRY=https://npm.mycompany.com

Install Script Security

Critical Security Feature - By default, snpm blocks all install scripts to protect against malicious packages.

How It Works

Install scripts (like postinstall, preinstall) can execute arbitrary code during package installation. This is a common attack vector for supply chain attacks.

snpm takes a security-first approach:

  1. All install scripts are blocked by default
  2. Explicit whitelisting required - You must specify which packages are allowed to run scripts
  3. Clear warnings - snpm shows which packages had their scripts blocked

Allowing Specific Packages

Whitelist trusted packages that need to run install scripts:

# Allow specific packages
export SNPM_ALLOW_SCRIPTS="puppeteer,esbuild,@swc/core"

Or via workspace config:

snpm-workspace.yaml
onlyBuiltDependencies:
  - puppeteer
  - esbuild
  - '@swc/core'

Why This Matters

Protection Against:

  • Malicious install scripts that steal credentials
  • Cryptocurrency miners installed via npm packages
  • Backdoors installed during package installation
  • Unaudited third-party code execution

Trade-offs:

  • Some packages require install scripts to function (e.g., puppeteer downloads Chrome)
  • You must manually whitelist these trusted packages

Only whitelist packages you trust. Review what install scripts do before allowing them.

Checking Blocked Scripts

When snpm blocks scripts, it shows a summary:

Blocked 3 install scripts. Set SNPM_ALLOW_SCRIPTS to enable.
  - node-sass
  - sharp  
  - canvas

Best Practices

Use Minimum Package Age in Production - Set SNPM_MIN_PACKAGE_AGE_DAYS=7 for production projects.

Control Install Scripts - Be selective about which packages can run install scripts:

export SNPM_ALLOW_SCRIPTS="puppeteer,esbuild"

Commit Lockfiles - Always commit snpm-lock.yaml to ensure consistent installs.

Use Frozen Lockfile in CI - Prevent unexpected updates:

snpm install --frozen-lockfile

Review Dependency Updates - When updating dependencies, review the changes in snpm-lock.yaml.

Use Private Registries - For sensitive projects, use a private registry with authentication.

Audit Dependencies - Regularly review your dependencies for known vulnerabilities (external tools can help with this).

CI/CD Security

# Set minimum package age
export SNPM_MIN_PACKAGE_AGE_DAYS=7

# Control install scripts (whitelist only trusted packages)
export SNPM_ALLOW_SCRIPTS="puppeteer,esbuild"

# Use frozen lockfile
snpm install --frozen-lockfile

# Run your build/tests
snpm run build
snpm run test

GitHub Actions Example

- name: Install dependencies
  env:
    SNPM_MIN_PACKAGE_AGE_DAYS: "7"
    SNPM_ALLOW_SCRIPTS: "puppeteer,esbuild"
  run: snpm install --frozen-lockfile

Reporting Security Issues

If you discover a security vulnerability in snpm itself, please report it to the maintainers via GitHub Security Advisories.

CI/CD

Using snpm in continuous integration and deployment

Comparison

How snpm compares to npm, yarn, and pnpm

On this page

Minimum Version AgeHow It WorksWhy This MattersConfigurationTrade-offsLockfile SecurityRegistry AuthenticationSecure Token StoragePrivate RegistriesEnvironment VariablesInstall Script SecurityHow It WorksAllowing Specific PackagesWhy This MattersChecking Blocked ScriptsBest PracticesCI/CD SecurityRecommended CI ConfigurationGitHub Actions ExampleReporting Security Issues