May 11, 2026
npm, but make it paranoid
Show HN: Safe-install – safer NPM installs with trusted build dependencies
A new tool wants to stop surprise code downloads, but commenters say the fix already exists
TLDR: Safe-install adds a simple safety check for installs, blocking hidden setup code unless you explicitly approve it. Commenters were split between "helpful for solo developers" and "big companies solved this ages ago," with "cowboy installs" becoming the thread’s most memorable jab.
The pitch here is simple: stop letting random add-ons run code the moment you install them. The new tool, safe-install, keeps installs locked down by default, then only lets approved packages finish their setup if you’ve personally trusted them first. In plain English: fewer nasty surprises, more permission slips. For anyone who’s ever installed a project and quietly prayed nothing weird happened in the background, that’s a pretty juicy promise.
But the comments instantly turned into a classic tech food fight. One camp basically said, "cute idea, but we already have bouncers at the door". User edoceo jumped in waving another package gatekeeper tool like a proud parent at a school play, calling it a favorite after years of "self-built jank". Meanwhile, pjmlp delivered the stern enterprise-manager energy: this problem is already handled by big-company systems like Nexus and Artifactory, and security-conscious teams don’t do "cowboy installs" in the first place. Ouch.
That split is the real drama: is safe-install a smart, practical safety belt for ordinary developers, or just a reinvented wheel for people without a corporate fortress around them? The mood was less "wow, groundbreaking" and more "finally, a normal-person version of something security teams have been nagging about forever". And yes, the phrase "cowboy installs" absolutely stole the show — because nothing spices up software drama like implying somebody is yee-hawing unknown code straight into production.
Key Points
- •safe-install is designed for npm projects to block dependency lifecycle scripts during install by default and then rebuild only explicitly trusted packages.
- •The article explains that npm lifecycle scripts can execute arbitrary code, while `ignore-scripts=true` blocks that class of install-time execution.
- •safe-install moves script execution behind a reviewed allowlist in `package.json`, using `trustedDependencies` to determine which packages may run install scripts.
- •The tool includes a `review-deps` command to find dependencies that declare install-time scripts so users can inspect them before trusting them.
- •An optional `blockExoticSubDeps` setting causes installs to fail when transitive dependencies reference sources outside the npm registry using `git:`, `file:`, `link:`, or remote tarball URLs.