The npm client’s default settings are a root cause of JavaScript’s recurring supply chain security problems.

Andrew Nesbitt

npm's default settings are a root cause of JavaScript's recurring supply chain security problems. Key issues include: npm install silently rewriting lockfiles (npm ci is safer but obscure), postinstall scripts running by default for all packages (pnpm v10 and Bun block these by default), trusted publishing being reversible rather than a one-way door, the min-release-age cooldown feature being opt-in rather than default, and npx having no lockfile or cooldown at all. The axios compromise — 83M weekly downloads, malicious versions live for 2-3 hours via a staged dependency — illustrates exactly how these defaults are exploited. While pnpm, Bun, and Deno have made better security choices, npm ships with Node.js and dominates actual usage, making its defaults the baseline for millions of projects. Changing npm's defaults would do more for JavaScript supply chain security than any scanner or post-incident review.

npm's Defaults Are Bad

<p>It really is a major issue. Even if npm is fixed in a recent release, most people still use older versions and, even worse, many projects depend on these insecurities to function.</p>
