Developer Greg Kiely released safe-install, an npm wrapper that disables install scripts by default and only re‑enables them for packages explicitly listed in a trust allowlist. The tool mirrors Bun’s “trusted dependencies” feature and pnpm’s blockExoticSubdeps flag, giving projects a way to curb supply‑chain attacks without abandoning npm.

To use it, developers add an entry to .npmrc, then define a script like "safe-install" in package.json. Running `npm run safe-install` lists dependencies with install‑time scripts, letting maintainers review and add safe ones to a trustedDependencies array. Optional blockExoticSubDeps enforcement rejects any transitive dependency that pulls from git, file or remote URLs.

Because npm’s ignore‑scripts flag breaks legitimate builds, safe‑install re‑runs rebuilds only for the whitelisted packages, preserving native bindings and binary downloads. The approach makes the trust decision explicit in version‑controlled JSON, offering a pragmatic mitigation while npm itself shows no sign of adopting similar safeguards soon.

Community response on Hacker News has been modest, with a few developers noting the convenience of a drop‑in solution versus switching to alternative registries. As supply‑chain incidents keep surfacing, tools like safe‑install provide immediate defense layers, though they rely on diligent maintenance of the trust list.