Package Exports

@aldegad/safedeps
@aldegad/safedeps/bin/safedeps

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@aldegad/safedeps) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

Safedeps

Dependency install safety gate -- advisory checks, approved spec enforcement, and auto-rollback suspicious package installs in Claude Code and Codex CLI.

Why "reorg"?

In blockchain networks, a reorganization (reorg) invalidates a sequence of blocks and reverts the chain to a previously confirmed safe state. safedeps applies the same principle to your node_modules: every install is treated as an unconfirmed block candidate until it passes a battery of supply-chain security checks. If anything looks wrong, the tool performs a reorg -- rolling back lock files, package.json, and node_modules to the last confirmed safe snapshot.

No manual review. No leftover malicious code. Fully automatic.

Distribution Model

Safedeps has two distribution surfaces:

Agent skill + hooks (canonical) -- the repo itself is the skill folder. SKILL.md, hook scripts, provider/ledger libraries, and install helpers stay together in one directory.
npm package (CLI convenience) -- @aldegad/safedeps installs the safedeps command. npm does not make Claude Code or Codex automatically discover the skill; after npm installation, users still need to run the hook/skill installer or manually register the skill folder.

Use the GitHub release when you want the full skill/hook source tree as the canonical artifact. Use npm when you mainly want a versioned global CLI.

How It Works

safedeps plugs into Claude Code and Codex CLI hooks as a pair of PreToolUse and PostToolUse hooks that wrap package install commands. The CLI owns provider lookups and the approved-spec ledger; hooks enforce that ledger and run post-install rollback checks.

                         PreToolUse                          PostToolUse
                  (safedeps-pre-guard.sh)          (safedeps-post-verify.sh)
                            |                                    |
  install cmd ──> [ Advisory/ledger gate ] ──> [ Execute ] ──> [ Verify ]
                     |            |                           |       |
                  Block if      Snapshot                   Clean?  Suspicious?
                  unapproved    lock/manifest files,        |       |
                   or risky     package listings          Confirm  REORG
                                                              |       |
                                    |                       v       v
                                    +--- parent_snapshot_id ──> confirmed
                                                                    |
                                                              Rollback to last
                                                              confirmed snapshot

Phase 1: Advisory Gate + Pre-flight (PreToolUse)

Before an agent installs a dependency, it should run:

safedeps check <ecosystem> <pkg>@<version|range> --json

That command queries OSV (canonical), CISA KEV (hard-risk overlay), and GitHub Advisory (enrichment). Clean or safely narrowed specs are written to ~/.safedeps/approved-specs/.

When Claude Code or Codex CLI is about to run npm install, pip install, cargo add, go get, gem install, or similar commands, the guard hook:

Snapshots the current package-lock.json, pnpm-lock.yaml, yarn.lock, and package.json into ~/.safedeps/snapshots/.
Records metadata including a parent_snapshot_id linking to the previous confirmed snapshot (forming a chain, just like blocks).
Captures pre-install state of node_modules (package listings and binary listings) for diff-based detection later.
Enforces the approved-spec ledger for explicit pkg@version install commands.
Runs pre-flight checks and blocks the command entirely if it detects:
- Typosquatting package names (lod_sh, reacct, axois, etc.)
- Non-standard --registry URLs (anything outside registry.npmjs.org and registry.yarnpkg.com)
- Piped remote execution patterns (curl ... | bash)
- Explicit disabling of install script safety (npm config set ignore-scripts false)

If the ledger gate or a pre-flight check fails, the command is blocked before execution -- nothing is installed.

Phase 2: Post-install verification (`safedeps-post-verify.sh` -- PostToolUse)

After the install command completes, the verify hook analyzes what changed:

Install script analysis -- Scans newly added packages for preinstall, install, and postinstall scripts containing:
- Network access (curl, wget, fetch, http, socket, dns)
- Dynamic code execution (eval, exec, spawn, child_process, Function())
- Sensitive path access (~/.ssh, .env, .aws, credentials)
- Obfuscated content (base64, atob, Buffer.from, hex/unicode escapes)
Lock file diff analysis -- Compares the snapshotted lock file content against the post-install version:
- Resolved URLs pointing to non-standard registries
- Insecure protocols (http://, git://) in resolved URLs
- Unusually large dependency additions (>50 new resolved entries, indicating potential dependency confusion)
Binary inspection -- Checks node_modules/.bin/ for newly added native binaries (ELF, Mach-O, shared objects) that should not appear in a JavaScript project.

Phase 3: Confirm or Reorg

All checks pass -- The snapshot is marked as confirmed in ~/.safedeps/confirmed. This becomes the new safe baseline.
Any check fails -- A reorg is triggered:
1. Lock files are restored from the last confirmed snapshot.
2. package.json is restored if it was modified.
3. node_modules is rebuilt via npm ci (or npm install as fallback) to purge any malicious artifacts.
4. The event is logged to ~/.safedeps/reorg.log.
5. Claude Code receives a system message detailing the detected threats and rollback actions.

The Blockchain Analogy

Blockchain Concept	Safedeps Equivalent
Block candidate	Snapshot taken before `npm install`
Block validation	Post-install security checks (scripts, lock diff, binaries)
Finality / confirmation	Snapshot ID written to `~/.safedeps/confirmed`
Chain reorganization	Rollback to last confirmed snapshot + `node_modules` rebuild
Parent hash linking	`parent_snapshot_id` in each snapshot's `_meta.json`
Chain pruning	Old unconfirmed snapshots cleaned up, confirmed chain preserved

Detection Rules

Category	What it catches	Phase	Action
Typosquatting	Known misspelling patterns of popular packages	Pre-flight	Block
Pipe execution	`curl \| bash`, `wget \| sh`	Pre-flight	Block
Registry hijack	`--registry` pointing to unofficial sources	Pre-flight	Block
Script safety bypass	`npm config set ignore-scripts false`	Pre-flight	Block
Command indirection	`eval "npm install ..."`, subshell expansion, variable indirection	Pre-flight	Guard
npx/dlx execution	`npx`, `pnpm dlx`, `yarn dlx` package execution	Pre-flight	Guard
Malicious install scripts	Network calls, `eval`/`exec`, sensitive path access in hooks	Post-install	Reorg
Obfuscated code	Base64, hex encoding, `Buffer.from` in install scripts	Post-install	Reorg
Lock file tampering	Resolved URLs from non-standard registries	Post-install	Reorg
Insecure protocols	`http://` or `git://` resolved URLs	Post-install	Reorg
Dependency confusion	>50 new dependencies in a single install	Post-install	Reorg
Native binaries	Compiled executables in `node_modules/.bin/`	Post-install	Reorg

Installation

Prerequisites

Claude Code with hook support
jq -- JSON parsing (hooks exit gracefully if missing)
shasum or sha256sum -- hash computation
file (optional) -- binary detection

# macOS
brew install jq

# Ubuntu / Debian
sudo apt-get install jq

Setup From GitHub (Skill + Hooks)

1. Clone the repository:

git clone https://github.com/aldegad/safedeps.git
cd safedeps

2. Install the skill + hooks:

node scripts/install/install-safedeps-hooks.mjs

The installer is idempotent. It symlinks the skill into ~/.claude/skills/safedeps and ~/.codex/skills/safedeps when those roots exist, patches the matching hook config, and can also place safedeps on PATH through ~/.local/bin.

3. Manual hook registration, if needed:

Edit .claude/settings.json (project-level) or ~/.claude/settings.json (global):

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash",
        "hooks": [
          {
            "type": "command",
            "command": "~/.claude/skills/safedeps/scripts/safedeps-pre-guard.sh"
          }
        ]
      }
    ],
    "PostToolUse": [
      {
        "matcher": "Bash",
        "hooks": [
          {
            "type": "command",
            "command": "~/.claude/skills/safedeps/scripts/safedeps-post-verify.sh"
          }
        ]
      }
    ]
  }
}

4. Verify permissions:

chmod +x ~/.claude/skills/safedeps/scripts/safedeps-pre-guard.sh
chmod +x ~/.claude/skills/safedeps/scripts/safedeps-post-verify.sh

That's it. The guard activates automatically whenever Claude Code or Codex CLI runs a package install command.

Setup From npm (CLI First)

npm install -g @aldegad/safedeps
safedeps version

npm puts safedeps on PATH through its standard bin entry. It does not register the agent skill or hooks for Claude Code / Codex. To enable the hooks from the npm-installed copy, run the installer from the installed package root:

cd "$(npm root -g)/@aldegad/safedeps"
node scripts/install/install-safedeps-hooks.mjs

The installer is idempotent and only adds symlinks/hook entries. The --link-bin flag is only useful when you installed via GitHub clone instead of npm — npm already places the CLI on PATH, so the flag is redundant in this path.

If you want the skill folder itself to be the canonical local source, prefer the GitHub setup above.

Daily Re-check With macOS Alerts

Install a per-user LaunchAgent to re-check the approved-spec ledger once per day:

node scripts/install/install-safedeps-recheck-agent.mjs install --hour 9 --minute 0

This runs safedeps re-check --json against ~/.safedeps/approved-specs/. It does not use LLM tokens; it only calls the advisory providers used by safedeps. If a new CVE/KEV is found, a spec is revoked, or a provider check is skipped, the wrapper writes ~/.safedeps/recheck-alerts.jsonl and raises a macOS notification.

Useful commands:

node scripts/install/install-safedeps-recheck-agent.mjs status
node scripts/install/install-safedeps-recheck-agent.mjs uninstall
tail -f ~/.safedeps/recheck.log

Legacy State Migration

If you used the old npm-reorg-guard state directory, migrate it once:

safedeps migrate

This copies missing state from ~/.npm-reorg-guard into ~/.safedeps and archives the legacy directory so there is no second active state root.

Real-World Attack Coverage

safedeps is designed to catch the patterns behind real supply-chain incidents:

event-stream (2018) -- Malicious postinstall script with obfuscated code that exfiltrated cryptocurrency wallet keys. Caught by: install script analysis (obfuscation + network access detection).
ua-parser-js hijack (2021) -- Compromised package added a preinstall script that downloaded and executed cryptominers. Caught by: install script analysis (network access + code execution).
colors / faker sabotage (2022) -- While these were author-initiated, the abnormal dependency behavior would trigger the dependency explosion check.
Typosquatting campaigns -- Ongoing campaigns publishing packages like crossenv (instead of cross-env) or babelcli (instead of babel-cli). Caught by: pre-flight typosquatting pattern matching.
Dependency confusion attacks -- Internal package names published to the public registry with higher version numbers. Caught by: non-standard registry detection + large dependency count changes.

Logs and Snapshots

Path	Description
`~/.safedeps/reorg.log`	Full reorg event history with timestamps, reasons, and rolled-back files
`~/.safedeps/confirmed`	Current confirmed (safe) snapshot ID
`~/.safedeps/snapshots/`	All snapshot files (lock files, package.json copies, metadata)

# View reorg history
cat ~/.safedeps/reorg.log

# Check current confirmed snapshot
cat ~/.safedeps/confirmed

# List all snapshots
ls -la ~/.safedeps/snapshots/

Old unconfirmed snapshots are automatically pruned (keeping the 10 most recent), while the confirmed snapshot chain is always preserved.

Security Hardening

safedeps includes multiple layers of defense against attacks targeting the guard itself:

Measure	What it prevents
JSON-safe metadata	`project_dir` is escaped via `jq -Rs` to prevent JSON injection in snapshot metadata
Path canonicalization	`realpath`/`readlink -f` resolves symlinks and `..` traversal in `cwd` before use
Atomic state files	Snapshot ID and project directory are written as a single JSON file, preventing TOCTOU races
Stale lock recovery	Locks older than 60 seconds are automatically removed, preventing permanent DoS from `SIGKILL`/OOM
Project-scoped state	Each project gets its own confirmed snapshot chain (`confirmed_${dir_hash}`), preventing cross-project interference
Restrictive permissions	`umask 077` ensures `~/.safedeps/` is readable only by the owner
Indirection detection	Commands using `eval`, `$()`, or backticks with package manager keywords are treated as install candidates

Project Structure

safedeps/
  bin/
    safedeps      # CLI -- advisory gate, ledger, revoke, re-check
  lib/
    providers/    # OSV / CISA KEV / GHSA adapters
    ledger/       # approved-spec ledger
  scripts/
    safedeps-pre-guard.sh       # PreToolUse hook -- snapshot + ledger enforcement
    safedeps-post-verify.sh     # PostToolUse hook -- post-install verification + reorg
    install/install-safedeps-hooks.mjs
    install/install-safedeps-recheck-agent.mjs
    install/migrate-safedeps-state.mjs
    safedeps-recheck-alert.sh
    test/
  package.json
  SKILL.md        # Claude Code / Codex skill manifest
  LICENSE         # Apache-2.0

License

Apache License 2.0

@aldegad/safedeps