JSPM

@refentse/gatekeeper-cli

1.0.1
    • ESM via JSPM
    • ES Module Entrypoint
    • Export Map
    • Keywords
    • License
    • Repository URL
    • TypeScript Types
    • README
    • Created
    • Published
    • Downloads 16
    • Score
      100M100P100Q47491F
    • License ISC

    Zero-Trust Package Management

    Package Exports

    • @refentse/gatekeeper-cli
    • @refentse/gatekeeper-cli/index.js

    This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@refentse/gatekeeper-cli) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

    Readme

    🛡️ npm-gatekeeper

    Proactive, Zero-Trust Supply Chain Security for Node.js.

    npm-gatekeeper is a lightweight, high-performance CLI wrapper that shifts DevSecOps entirely to the left. By acting as an intercepting proxy for standard package installations, it neutralizes malicious payloads, typosquatting, and compromised dependencies before a single byte is downloaded to your local machine or CI/CD environment.

    🚨 The Threat Landscape

    The modern JavaScript ecosystem operates on an implicit model of blind trust. The native npm install command automatically pulls and executes hidden lifecycle scripts (postinstall).

    The Reality: Recent supply chain attacks weaponize these scripts to deploy Remote Access Trojans (RATs) and exfiltrate .env secrets in seconds. By the time a traditional scanner finishes, the environment is already compromised.

    🛡️ The Gatekeeper Solution

    npm-gatekeeper replaces blind trust with active, real-time metadata interception.

    Feature npm install gatekeeper install
    Execution Model Implicit Trust Zero-Trust
    OSV Database Check Manual/Reactive Real-Time Interception
    Malicious Script Blocking ❌ No ✅ Hard-Block
    Typosquatting Protection ❌ No ✅ Age Heuristics
    Speed ⚡ Fast ⚡ Fast (Native Hand-off)

    ⚙️ Core Architecture

    1. Threat Intelligence Sync: Instantly cross-references requested packages against the Google Open Source Vulnerabilities (OSV) API. Known malicious payloads are hard-blocked.
    2. Lifecycle Quarantine: Scans metadata for hidden preinstall and postinstall scripts. Suspicious events are flagged for developer authorization.
    3. Zero-Day Age Heuristics: Protects against account-takeover by analyzing publication timestamps. Packages < 48 hours old trigger high-risk warnings.
    4. Frictionless Pass-Through: If the package is clean, execution is handed off to the native npm binary with zero latency.

    🚀 Usage

    Installation

    npm install -g npm-gatekeeper

    Secure Your Workflow

    Simply replace npm with gatekeeper when installing dependencies.

    # Securely install a package
gatekeeper install express

    Example: Threat Interception

    If a compromised package or known malware vector is detected, Gatekeeper halts the process instantly:

    $ gatekeeper install lodash-security-patch

🔍 Inspecting metadata for: lodash-security-patch...
📡 Checking Google OSV database...

🚨 CRITICAL: KNOWN MALWARE DETECTED 🚨
   Package: lodash-security-patch@1.0.0
   Vulnerabilities: 1 [Malicious Script Injection]
   
🚫 HARD BLOCK ACTIVATED. Installation aborted.

    🏗️ Enterprise & CI/CD

    Currently in Development. We are building headless modes for GitHub Actions, GitLab CI, and Azure DevOps to enforce strict zero-trust installation policies across organizational builds.

    🤝 Contributing

    Securing the open-source supply chain is a community effort. If you are a security researcher or developer, please open an issue or submit a pull request to help expand our heuristic engine.

    📄 License

    This project is licensed under the ISC License.