<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Matheus Agostinho</title>
    <description>The latest articles on DEV Community by Matheus Agostinho (@matheusagostinho).</description>
    <link>https://dev.to/matheusagostinho</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3989609%2F0d4903fd-474a-4142-bc30-440948f3b54c.jpeg</url>
      <title>DEV Community: Matheus Agostinho</title>
      <link>https://dev.to/matheusagostinho</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/matheusagostinho"/>
    <language>en</language>
    <item>
      <title>I made supply-chain security a blocking step of npm install</title>
      <dc:creator>Matheus Agostinho</dc:creator>
      <pubDate>Thu, 18 Jun 2026 01:30:19 +0000</pubDate>
      <link>https://dev.to/matheusagostinho/i-made-supply-chain-security-a-blocking-step-of-npm-install-ik6</link>
      <guid>https://dev.to/matheusagostinho/i-made-supply-chain-security-a-blocking-step-of-npm-install-ik6</guid>
      <description>&lt;h2&gt;
  
  
  The gap
&lt;/h2&gt;

&lt;p&gt;&lt;code&gt;npm audit&lt;/code&gt; runs &lt;em&gt;after&lt;/em&gt; the install. By then the package — and any&lt;br&gt;
  &lt;code&gt;postinstall&lt;/code&gt; script it shipped — is already on your machine. For&lt;br&gt;
  supply-chain attacks, "after" is too late.&lt;/p&gt;

&lt;p&gt;So I built &lt;strong&gt;Vault&lt;/strong&gt;: an npm-compatible, pnpm-style package manager (written&lt;br&gt;
  in Rust) that makes the security check part of install itself.&lt;/p&gt;

&lt;p&gt;## What it does before touching node_modules&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Blocks known CVEs.&lt;/strong&gt; It audits the resolved graph (OSV + a static scan)
and refuses to install critical/high vulnerabilities. &lt;code&gt;--force&lt;/code&gt; exists, but
you have to mean it.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;No lifecycle scripts by default.&lt;/strong&gt; &lt;code&gt;postinstall&lt;/code&gt; is the classic malware
entrypoint; Vault doesn't run it unless you allow it, and installs run in a
Landlock sandbox.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Takeover signals.&lt;/strong&gt; It warns when a package was published moments ago or
when its maintainer count suddenly drops.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;## A real block&lt;/p&gt;

&lt;p&gt;A project had &lt;code&gt;"vite": "^5.4.11"&lt;/code&gt;. npm/pnpm happily resolve that to &lt;code&gt;5.4.21&lt;/code&gt;&lt;br&gt;
  and install it. That version sits inside the affected range of&lt;br&gt;
  &lt;strong&gt;GHSA-fx2h-pf6j-xcff&lt;/strong&gt; (CVE-2026-53571, CVSS 8.2). Vault:&lt;/p&gt;

&lt;p&gt;✗ BLOCKED &lt;a href="mailto:vite@5.4.21"&gt;vite@5.4.21&lt;/a&gt;: critical/high CVE(s): GHSA-fx2h-pf6j-xcff&lt;br&gt;
  error: security policy blocked install&lt;/p&gt;

&lt;p&gt;One bump to the patched line and the install went through clean.&lt;/p&gt;

&lt;p&gt;## Isn't auditing slow?&lt;/p&gt;

&lt;p&gt;It's pnpm-style under the hood (content-addressable store + hard links). In&lt;br&gt;
  my tests it lands within ~0.2s of pnpm on a warm cache &lt;strong&gt;while running a full&lt;br&gt;
  audit every install&lt;/strong&gt;. It's not faster than pnpm — the point is you don't pay&lt;br&gt;
  a real speed tax for the safety.&lt;/p&gt;

&lt;p&gt;## Try it / break it&lt;/p&gt;

&lt;p&gt;It's early (v0.1.3) and I want the rough edges found.&lt;/p&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;
bash
  npm i -g vaultpm   # bins: vault / vt
  vault install

  Repo: https://github.com/Matheusagostinho/vaultpm — issues and harsh feedback
  very welcome.
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;

</description>
      <category>javascript</category>
      <category>node</category>
      <category>security</category>
      <category>rust</category>
    </item>
  </channel>
</rss>
