playbooks / supply chain
Trust No Package
Install discipline that survives hallucinated names, squatted packages, and malicious updates.

duck@duckaudit
Your AI just recommended a package with 12 downloads. Bold. Let us look at it together first.
how it burns you
Attackers publish malware under names AI assistants tend to invent, a trick called slopsquatting, and they compromise real popular packages too. One npm install runs arbitrary code on your machine with your credentials in reach. The package manager is the most trusting program you own.
Verify before you install
Thirty seconds of looking beats a compromised laptop. Check the package exists, check its age and downloads, check the repo link is real. Brand new packages with names suspiciously close to famous ones are the trap.
npm view express-validator # real: years old, millions of downloads
npm view expres-validator # typo bait: if it exists, someone set a trapStop install scripts from running by default
Post install scripts are code execution at install time, which is exactly how most npm malware detonates. Turn them off globally and allow the rare package that truly needs them.
# .npmrc
ignore-scripts=trueRespect the lockfile
The lockfile pins the exact code you audited. Commit it, use npm ci in CI and on deploy, and treat unexplained lockfile churn in a diff as a stop sign.
npm ci # installs exactly what the lockfile says, fails on driftLet robots watch your dependencies
Dependabot or Renovate opens the patch PR the day a vulnerability drops, while npm audit gives you the picture on demand. Free, automatic, and they never get bored.
npm audit --omit=dev
npm audit fix # review the diff before you commit itPrefer boring over shiny
Every dependency is a standing invitation into your build. The standard library, or a dependency you already have, beats a new package with three stars. Fewer invitations, fewer guests.
Make your AI do it
Paste this into Cursor or Claude Code from your project root.
Audit this repo's supply chain. 1) List every production dependency with its weekly downloads, age, and last publish date, flagging anything under 10k weekly downloads or under a year old. 2) Check for typo distance from famous package names. 3) Verify install scripts are disabled in .npmrc and the lockfile is committed and used in CI. 4) Run npm audit and summarize what actually matters for this app versus noise. 5) List dependencies we could delete because the stdlib or an existing dep covers them.
The 10 minute check
0/5receipts · every claim has a source
next playbook
Stripe Without Leaks →