JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 7
  • Score
    100M100P100Q80793F
  • License MIT

JS/TS supply-chain hardening CLI — scan, secure, and enforce dependency policies

Package Exports

  • depsentinel

Readme

depsentinel

JS/TS supply-chain hardening CLI. Detect your package manager, evaluate risk, and apply secure defaults — in one command.

Quick start

1) Scan the project

npx depsentinel scan

2) Generate secure defaults

npx depsentinel init

3) Run full diagnosis

npx depsentinel doctor

4) Add CI policy gate

npx depsentinel ci --json

Commands

Command Purpose
scan Explain current risk posture: detect PM/framework, evaluate policies, return risk_score + remediation commands
init Generate .npmrc, .npmignore, CI workflow, PM-specific configs (--dry-run to preview)
ci --json Policy gate for CI pipelines; exits non-zero on critical findings
install <pkg> Preflight check before adding a dependency (allow|warn|block)
doctor Diagnose project against 26 npm security best practices
doctor --fix Diagnose and auto-apply known remediations (.npmrc, scripts, configs)
trust add|remove|list Manage allow/ignore build-script trust per package manager
override add|remove|list Manage policy exceptions with reason and expiration

Trust examples

depsentinel trust add sharp --mode allow-build --write
depsentinel trust add fsevents --mode ignore-build --write
depsentinel trust list --pm pnpm

Typical flows

# First-time hardening
depsentinel scan
depsentinel init
depsentinel doctor

# Dependency preflight
depsentinel install <package>

# CI gate
depsentinel ci --json

What it enforces

  • Disable post-install scripts.npmrc ignore-scripts=true
  • Block git-based dependencies.npmrc allow-git=none
  • Package cooldown.npmrc min-release-age=3 (3 days)
  • pnpm hardeningminimumReleaseAge, trustPolicy: no-downgrade, blockExoticSubdeps, strictDepBuilds
  • Deterministic CI installs — frozen lockfile per package manager
  • Advisory checks — critical vulnerability matching
  • Tool adapters — optional npq, sfw, lockfile-lint integration
  • Override system — time-bound exceptions with documented reasons

Supports npm, pnpm, yarn, and bun — auto-detected. Unknown frameworks degrade gracefully to universal JS/TS baseline.

Install

npm install -g depsentinel
# or
pnpm add -g depsentinel

Docs

Full security best-practices guide with 26-point coverage matrix: docs/security-best-practices.md

License

MIT