safe npm time travel installs
npm i safe-npm-cli -gYou can now use safe-npm wherever you were using npm before.
It's a drop-in replacement.
It wraps and monkey-patches npm to always install with the --before option set to -5 (five) days in the past _except_ for the dependencies you specify in the field trustedDependencies in package.json, like so:
...
"trustedDependencies": [
"decarg",
"pull-configs",
"vite-open"
],
...Those dependencies will bypass the --before option when npm tries to fetch their data. It will only work for the current project's package.json, not for dependencies but they will apply to the entire tree so you can point to a deep package as well. This new field is meant to let you still work on modules you publish while still mitigate against some of the risks related to 0-day (<5-day :) supply-chain attacks.
Other than that, it should behave exactly like npm does so it's drop-in replacement. You can use safe-npm wherever you were using npm previously.
If you don't want to use this package and you still want to use time travel you can run this command:
npm i --before=`date -I -d '-5 days'`But this has the problem that it will not pick up packages you just published so you'll be forced to do normal installs for them which means that their dependencies will NOT be time travelled and be subject to the same security issue. That's the reason this package was made for.
This is a hacky solution and will probably fail miserably in random situations. Use at your own risk.
MIT © 2022