Package Exports
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (execfence) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
ExecFence
Guard npm/pnpm/yarn/Bun installs, dependency changes, CI, and agent-run commands before suspicious project code executes.
ExecFence is a local execution and supply-chain guardrail for JavaScript projects, CI pipelines, package releases, and coding agents. It puts a reviewable fence in front of risky commands such as dependency installs, tests, builds, package scripts, publish steps, and agent-driven tool execution.
Quick Start
Run a scan without installing globally:
npx --yes execfence scanGuard a command before it runs:
npx --yes execfence run -- npm testEnable project-local guardrails:
npx --yes execfence guard enable
npx --yes execfence guard enable --applyEnable global package-manager interception for terminal and agent-run commands:
npx --yes execfence guard global-enableWhat Version 4 Adds
ExecFence v4 focuses on npm supply-chain attacks and package-manager execution:
- global shims for
npm,npx,pnpm,yarn,yarnpkg,bun, andbunx - lifecycle-script suppression for install-like commands
- dependency metadata and reputation review for changed packages
- OSV advisory checks without npm tokens or user credentials
- tarball integrity/content audit and tarball delta against the previous version
supplyChain.mode: "strict"for CI/release workflows- runtime dependency behavior audit with helper-backed enforcement when available
Install-like commands such as npm install, npm ci, pnpm add, yarn install, and bun add run through ExecFence first. When they are allowed, ExecFence delegates to the real package manager with lifecycle scripts disabled. Script-running commands such as npm run, npm test, yarn start, bun test, pack, and publish keep their main command semantics after the preflight scan passes.
Common Commands
npx --yes execfence --help
npx --yes execfence scan
npx --yes execfence run -- npm test
npx --yes execfence ci
npx --yes execfence deps review
npx --yes execfence coverage
npx --yes execfence pack-audit
npx --yes execfence agent-report
npx --yes execfence sandbox doctorStrict Supply-Chain Mode
For security-sensitive CI, release, or package-publishing workflows:
{
"supplyChain": {
"mode": "strict"
}
}strict blocks unavailable metadata/reputation/tarball signals, missing integrity/provenance signals, release cooldowns, new package age windows, uncovered package-manager surfaces, and dependency runtime audits that lack helper-backed containment.
When ExecFence Blocks
Do not rerun the command outside ExecFence just to bypass the block. Start with the report:
npx --yes execfence reports latest
npx --yes execfence incident bundle --from-report .execfence/reports/<report>.jsonIf the finding is legitimate and must be allowed, create a narrow reviewed baseline with owner, reason, expiry, and hash.
Documentation
The npm README is intentionally short. Full documentation lives here:
- Full documentation
- Source docs
- Detection model
- npm supply-chain assessment
- Release cadence
- OpenAI Skills catalog PR
Non-Claims
ExecFence does not replace antivirus, EDR, secret scanning, dependency vulnerability management, or human review. It does not prove that arbitrary library code is benign. It blocks and records the execution paths and supply-chain signals it can observe: scripts, lockfiles, package metadata, reputation feeds, tarballs, runtime evidence, workflows, binaries, archives, and agent/tool configuration.
License
Apache-2.0