DepsGuard - Guard your dependencies against supply chain attacks
Guard your dependencies<br>against supply chain attacks.
Prevent the next npm supply chain compromise from impacting you. One command to scan and fix npm, pnpm, yarn,<br>bun, aube, uv, pip, and poetry configs for security best practices. Zero dependencies. MIT.
macOS
Linux
Windows
Cargo
Install
macOS<br>Linux
Windows<br>Cargo
Copy<br>brew install depsguard
Homebrew (in homebrew-core – no tap needed). Works on Apple Silicon and Intel.<br>Update later with brew upgrade depsguard.
/dev/null<br>sudo apt update<br>sudo apt install depsguard"><br>Copy<br>sudo install -d -m 0755 /etc/apt/keyrings<br>curl -fsSL https://depsguard.com/apt/gpg.key | sudo gpg --dearmor -o /etc/apt/keyrings/depsguard.gpg<br>echo "deb [arch=amd64,arm64 signed-by=/etc/apt/keyrings/depsguard.gpg] https://depsguard.com/apt stable main" \<br>| sudo tee /etc/apt/sources.list.d/depsguard.list >/dev/null<br>sudo apt update<br>sudo apt install depsguard
Debian/Ubuntu via APT. Also available via Homebrew on Linux.<br>Update later with sudo apt update && sudo apt install --only-upgrade depsguard.
WinGet
Copy<br>winget install Arnica.DepsGuard
Scoop
Copy<br>scoop bucket add depsguard https://github.com/arnica/depsguard<br>scoop install depsguard
Update later with winget upgrade Arnica.DepsGuard or<br>scoop update depsguard.
Copy<br>cargo install depsguard
Requires a Rust toolchain (1.74+).<br>Run cargo install --force depsguard to upgrade to the latest release.
Direct binaries ·<br>Full install guide
How to use
Install – pick your platform above.
Run depsguard in your terminal to launch the<br>interactive TUI. It scans your system and shows a table of findings. Press any key to continue to the fix<br>selector. Repo-level config discovery starts from the current directory and searches downward. Use<br>depsguard scan for a read-only report, or depsguard --no-search to skip the<br>recursive file search and only check user-level configs.
Note: some settings require a minimum version. If your version<br>is too old you'll see:
ℹ min-release-age – requires npm ≥ 11.10<br>(have 10.2.0)
Upgrade with npm install -g npm@latest and re-run.
Navigate & select – use ↑↓ to<br>move through the list (^u^d to page). Press Space to toggle a fix on or off.<br>Use quick-filter keys to bulk-select by file: a all, n .npmrc, u uv.toml,<br>etc. – press once to select, again to deselect, a third time to clear the filter. Press f to<br>show only currently selected fixes.
Preview – press d to see a diff of what will<br>change before you commit to anything.
Apply – press Enter to apply the selected<br>fixes. A timestamped backup is created before any file is written.
Rescan – DepsGuard automatically reruns the scan after<br>applying, so you can verify everything is green.
Restore – run depsguard restore at any time<br>to roll back from the backup list. Press q or Esc to quit.
Full documentation, config file locations, and troubleshooting tips are in the<br>README.
Why this exists
Software supply chain attacks are increasing. On March 31, 2026, a compromised maintainer account was used<br>to<br>publish malicious versions of<br>axios.<br>The bad versions were live for ~3 hours before removal. Similar short-lived attacks hit<br>ua-parser-js,<br>colors, and<br>node-ipc.<br>Bigger campaigns followed: the self-replicating Shai-Hulud worm<br>spread through hundreds of npm packages in 2025, and in May 2026 attackers poisoned dozens of<br>TanStack packages through a compromised CI pipeline.<br>The pattern is the same: an attacker publishes a poisoned version, and every npm install that runs before it's caught pulls it in.
Many modern package managers now ship with built-in defenses, and some are on by default: pnpm 11 enables a<br>24-hour cooldown and blocks exotic transitive dependencies, and npm v12 (expected in 2026) will block install<br>scripts and git or remote-URL dependencies by default. But the defaults vary by version and are often weaker<br>than they should be, so DepsGuard checks what is actually enabled and helps you turn on, or strengthen, the rest.
Supported settings
Manager<br>Config file<br>Setting<br>What it does<br>Docs
npm<br>.npmrc<br>min-release-age=7<br>Delay new versions by 7 days (npm ≥<br>11.10)
npm / pnpm<br>.npmrc<br>ignore-scripts=true<br>Block malicious install scripts (npm<br>honors this in .npmrc; pnpm ≥ 11 reads it from pnpm-workspace.yaml /<br>global config.yaml)
pnpm<br>.npmrc<br>minimum-release-age=10080<br>Delay new versions by 7 days (in minutes) (pnpm 10.16–10.x; pnpm ≥ 11 ignores<br>.npmrc; use pnpm-workspace.yaml)
pnpm<br>rc (pnpm ≤ 10; pnpm ≥ 11 uses config.yaml with camelCase keys)<br>ignore-scripts=true<br>Block malicious install scripts
minimum-release-age=10080<br>Delay new versions by 7 days (pnpm ≥ 10.16)
block-exotic-subdeps=true<br>Block untrusted transitive deps (pnpm ≥ 10.26)
trust-policy=no-downgrade<br>Block provenance downgrades (pnpm ≥ 10.21)
strict-dep-builds=true<br>Fail on unreviewed build scripts (pnpm ≥ 10.3)
pnpm<br>pnpm-workspace.yaml<br>minimumReleaseAge: 10080<br>Delay new versions by 7 days (in minutes)...