Skip to content

v0.5.0 — transitive dependency evaluation

Choose a tag to compare

@Mickdownunder Mickdownunder released this 03 Jun 19:12

Transitive dependency evaluation. SafeInstall can now evaluate the full lockfile dependency tree, not just direct dependencies — closing the biggest coverage gap, since most real supply-chain attacks reach a project through a transitive dependency.
Two checks run transitively, both read directly from the lockfile with zero extra registry calls:

  • install-script — flags transitive packages that declare a lifecycle script (the ua-parser-js attack class). npm records this in the lockfile; pnpm lockfiles do not, so this check is npm-only for now.
  • untrusted-source — flags transitive packages resolving from git, url, or tarball sources. Works for npm and pnpm.
    Opt in via the new transitive config block (defaults to off, fully backward compatible):
{
  "transitive": {
    "mode": "warn",
    "checks": ["install-script", "untrusted-source"]
  }
}