v0.5.0 — transitive dependency evaluation
Transitive dependency evaluation. SafeInstall can now evaluate the full lockfile dependency tree, not just direct dependencies — closing the biggest coverage gap, since most real supply-chain attacks reach a project through a transitive dependency.
Two checks run transitively, both read directly from the lockfile with zero extra registry calls:
- install-script — flags transitive packages that declare a lifecycle script (the ua-parser-js attack class). npm records this in the lockfile; pnpm lockfiles do not, so this check is npm-only for now.
- untrusted-source — flags transitive packages resolving from git, url, or tarball sources. Works for npm and pnpm.
Opt in via the newtransitiveconfig block (defaults to off, fully backward compatible):
{
"transitive": {
"mode": "warn",
"checks": ["install-script", "untrusted-source"]
}
}