PkgWarden
pkgwarden⊙ PKGWARDEN — Package Guardian with Auditing, Reporting & Detection. A security audit layer for Node.js package managers that scans, reports, and hardens your dependency supply chain.
Installation
npm install -g pkgwardenyarn add pkgwardenWhy it exists
Supply-chain attacks on npm have exploded — from the event-stream incident to typosquatting campaigns targeting millions of developers. Most teams run `npm audit` and call it a day, but that only catches known CVEs. PkgWarden (originally called Argus) was built to go further: detect malicious patterns in package installation hooks, flag suspicious outbound network calls, and harden your `.npmrc` and lockfile configuration before an attack lands.
Features
Downloads and statically analyzes any npm package without installing it. Flags install scripts, network calls, code-execution patterns, and obfuscation before the code touches your machine.
Compares requested package names against 500+ popular packages using edit-distance and character-substitution heuristics. Catches common tricks like `lodahs`, `expres`, or homoglyph attacks.
Analyzes and fixes your .npmrc, .yarnrc.yml, or pnpm config. Enforces best-practice settings: `ignore-scripts`, registry pinning, and audit-level thresholds.
Non-interactive mode with `--ci` flag exits with code 1 on findings. JSON output integrates with GitHub Actions, GitLab CI, and any SARIF-compatible tool.
Highlights
- Scans postinstall / preinstall scripts for dangerous patterns like eval, exec, or base64-encoded payloads
- Detects typosquatting candidates using Levenshtein distance against a curated list of popular packages
- Hardens .npmrc to enforce HTTPS-only registry, disable scripts by default, and require lockfile integrity
- Generates machine-readable JSON reports for CI/CD integration
- Works with npm, yarn, and pnpm lockfiles