JavaScript hardening overview
Navigation
Reference
- Overview of the collected data
Config Generator
- Generate (starter) config files based on the info in this overview
Explanation
- Info about this project, the methodology used and other FAQ
GitHub
- Source code & data repository
Sources
- Links that aren't included elsewhere
General settings
Scope
project
global
Tools
npm
yarn-classic
yarn-berry
pnpm
bun-install
Prettify
Amount of newlines between config options:
Comments
Add titles
Add docs url
Minimum release age
in days. Example value (3 days): 3d
docs
in minutes. Example value (3 days): 4320
docs
in seconds. Example value (3 days): 259200
docs
Block install scripts
If set to true, ignore scripts & disable pre/post scripts
docs
Set to true to disable postinstall scripts
docs
Not needed: strictDepBuilds is default & expected pnpm behaviour, allowBuilds overrides are prompted dynamically by pnpm
docs
Not needed: bun blocks install scripts by default
docs
Block git repo/tarball sources for indirect dependencies
Exotic sources (git repos, tarballs...) allowed only for direct dependencies
,
Exotic sources (git repos, tarballs...) allowed for direct & indirect subdependencies
Direct dependencies are dependencies listed in your package.json. Defaults to true (allowed only for direct dependencies)
docs
Don't install newer versions if security measures decreased
no-downgrade
,
off
When set to no-downgrade, package installation will fail if a package's trust level has decreased
docs
Limit plug & play to listed dependencies
Disable hoisting
,
Strict plug'n'play
By default, semi-strict node_modules are used in pnpm
docs
Isolate dependencies
,
Hoist dependencies to a shared node_modules dir
docs
Anti-lockfile poisoning
Set to true to enable hardened mode: Yarn will query the remote registries to validate that the lockfile content matches the remote information
docs
Not needed: lockfile does not contain resolved urls
docs
Not needed: lockfile does not contain resolved urls
docs
Output