Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Local development security

Given the emerging supply chain attacks, it is not enough to rely on CI security checks. Those only safeguard CI itself, and prevent merging compromised code to develop. Additional hardening for local development is highly recommended for developers to work safely with npm packages (adding new npm packages, updating existing ones).

PMG by SafeDep

pmg is a tool that wraps yarn, and scans packages that are being fetched from npm registry for known malicious code.
PMG was chosen because it is fully open source, with permissible license, works well with yarn and can easily be built from source.
You can refer to the official documentation for more details.

See their Quick start README for setup instructions.
Note that building from source is a viable option.

You can test it by running yarn add [email protected] (PMG blocks the package as if it was malicious).

Alternatives