Show HN: DepsGuard – one command to harden NPM/pnpm/yarn/bun/uv configs

A new tool called DepsGuard just strutted onto Show HN with a very simple promise: run one command, and it checks the settings behind popular app-building tools like npm, Yarn, pnpm, Bun, and uv to help protect developers from supply-chain attacks — basically, bad actors sneaking dangerous code into the software pipeline. It can suggest fixes, apply only the ones you approve, and even makes backups before touching anything. On paper, that sounds like pure comfort food for security-anxious developers. In the comments, though, the vibe quickly turned into equal parts applause, side-eye, and stand-up comedy.

The strongest reactions split into two camps. One crowd loved the idea of a simple safety check for a messy ecosystem, calling it the kind of boring-but-useful tool teams actually need. The other crowd immediately went full detective mode: Who decides the “recommended” settings? Can one tool safely edit so many config files? Is “one command” the start of peace of mind or a fresh new way to break everyone’s setup? That tension became the real show. Some praised the backup-and-restore feature as the part that made the whole thing feel responsible, while skeptics joked that installing yet another security tool to protect you from tools is the most developer thing ever.

And yes, the humor showed up fast. People riffed on the project’s proudly tiny build — no extra Rust packages — like it was the software equivalent of bragging about eating clean. Others compared the whole premise to putting a security system on your security system. In classic HN fashion, even the compliments came with a raised eyebrow.