DepsGuard - Supply Chain Defense
Guard your dependencies<br>against supply chain attacks.
Prevent the next npm supply chain compromise from impacting you. One command to scan and fix npm, pnpm, yarn,<br>bun, and uv configs for security best practices. Zero dependencies. MIT.
macOS
Linux
Windows
Cargo
Install
macOS<br>Linux
Windows<br>Cargo
Copy<br>brew tap arnica/depsguard https://github.com/arnica/depsguard<br>brew install depsguard
Homebrew tap. Works on Apple Silicon and Intel.
/dev/null<br>sudo apt update<br>sudo apt install depsguard"><br>Copy<br>sudo install -d -m 0755 /etc/apt/keyrings<br>curl -fsSL https://depsguard.com/apt/gpg.key | sudo gpg --dearmor -o /etc/apt/keyrings/depsguard.gpg<br>echo "deb [signed-by=/etc/apt/keyrings/depsguard.gpg] https://depsguard.com/apt stable main" \<br>| sudo tee /etc/apt/sources.list.d/depsguard.list >/dev/null<br>sudo apt update && sudo apt install depsguard
Debian/Ubuntu via APT. Also available via Homebrew on Linux.
WinGet
Copy<br>winget install Arnica.DepsGuard
Scoop
Copy<br>scoop bucket add depsguard https://github.com/arnica/depsguard<br>scoop install depsguard
Copy<br>cargo install depsguard
Requires a Rust toolchain (1.74+).
Direct binaries ·<br>Full install guide
How to use
Install – pick your platform above.
Run depsguard in your terminal to launch the<br>interactive TUI. It scans your system and shows a table of findings. Press any key to continue to the fix<br>selector. Repo-level config discovery starts from the current directory and searches downward. Use<br>depsguard scan for a read-only report, or depsguard --no-search to skip the<br>recursive file search and only check user-level configs.
Note: some settings require a minimum version. If your version<br>is too old you'll see:
ℹ min-release-age – requires npm ≥ 11.10<br>(have 10.2.0)
Upgrade with npm install -g npm@latest and re-run.
Navigate & select – use ↑↓ to<br>move through the list (^u^d to page). Press Space to toggle a fix on or off.<br>Use quick-filter keys to bulk-select by file: a all, n .npmrc, u uv.toml,<br>etc. – press once to select, again to deselect, a third time to clear the filter. Press f to<br>show only currently selected fixes.
Preview – press d to see a diff of what will<br>change before you commit to anything.
Apply – press Enter to apply the selected<br>fixes. A timestamped backup is created before any file is written.
Rescan – DepsGuard automatically reruns the scan after<br>applying, so you can verify everything is green.
Restore – run depsguard restore at any time<br>to roll back from the backup list. Press q or Esc to quit.
Full documentation, config file locations, and troubleshooting tips are in the<br>README.
Why this exists
Software supply chain attacks are increasing. On March 31, 2026, a compromised maintainer account was used<br>to<br>publish malicious versions of<br>axios.<br>The bad versions were live for ~3 hours before removal. Similar short-lived attacks hit<br>ua-parser-js,<br>colors, and<br>node-ipc.<br>The pattern is the same: an attacker publishes a poisoned version, and every npm install that runs before it's caught pulls it in.
Many modern package managers now ship with built-in defenses, but they’re not always enabled by default.<br>DepsGuard checks whether those settings are enabled and helps you turn them on.
Supported settings
Manager<br>Config file<br>Setting<br>What it does<br>Docs
npm<br>.npmrc<br>min-release-age=7<br>Delay new versions by 7 days (npm ≥<br>11.10)
npm / pnpm<br>.npmrc<br>ignore-scripts=true<br>Block malicious install scripts
pnpm<br>.npmrc<br>minimum-release-age=10080<br>Delay new versions by 7 days (in minutes) (pnpm ≥ 10.16)
pnpm<br>rc (pnpm ≤ 10; pnpm ≥ 11 uses config.yaml with camelCase keys)<br>ignore-scripts=true<br>Block malicious install scripts
minimum-release-age=10080<br>Delay new versions by 7 days (pnpm ≥ 10.16)
block-exotic-subdeps=true<br>Block untrusted transitive deps (pnpm ≥ 10.26)
trust-policy=no-downgrade<br>Block provenance downgrades (pnpm ≥ 10.21)
strict-dep-builds=true<br>Fail on unreviewed build scripts (pnpm ≥ 10.3)
pnpm<br>pnpm-workspace.yaml<br>minimumReleaseAge: 10080<br>Delay new versions by 7 days (in minutes) (pnpm ≥ 10.16)
strictDepBuilds: true<br>Stricter build scripts (pnpm ≥ 10.3)
trustPolicy: "no-downgrade"<br>Block provenance downgrades (pnpm ≥<br>10.21)
blockExoticSubdeps: true<br>Block exotic sub-dependencies (pnpm ≥<br>10.26)
Yarn<br>.yarnrc.yml<br>npmMinimalAgeGate: "7d"<br>Delay new versions by 7 days (yarn ≥<br>4.10)
bun<br>.bunfig.toml<br>install.minimumReleaseAge = 604800<br>Delay new versions by 7 days (in seconds)
uv<br>uv.toml<br>exclude-newer = "7 days"<br>Delay new versions by 7 days (uv ≥<br>0.9.17)
Renovate<br>renovate.json<br>"minimumReleaseAge": "7 days"<br>Delay dependency update PRs
Dependabot<br>dependabot.yml<br>cooldown.default-days: 7<br>Delay dependency update PRs
User-level config locations
Manager<br>macOS<br>Linux<br>Windows<br>$XDG_CONFIG_HOME
npm<br>~/.npmrc
pnpm<br>~/.npmrc (shared with npm)
pnpm global, ≤ 10<br>~/Library/Preferences/pnpm/rc<br>~/.config/pnpm/rc<br>%LOCALAPPDATA%\pnpm\config\rc<br>$XDG_CONFIG_HOME/pnpm/rc
pnpm global,...