{"id":18063076,"url":"https://github.com/stagas/safe-npm","last_synced_at":"2026-04-25T08:36:00.384Z","repository":{"id":138086174,"uuid":"473880596","full_name":"stagas/safe-npm","owner":"stagas","description":"safe npm time travel installs","archived":false,"fork":false,"pushed_at":"2022-04-14T06:17:34.000Z","size":5,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-06-29T15:44:14.761Z","etag":null,"topics":["npm","security","time-travel"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stagas.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-03-25T05:31:04.000Z","updated_at":"2022-03-25T23:47:11.000Z","dependencies_parsed_at":"2023-07-07T06:16:24.888Z","dependency_job_id":null,"html_url":"https://github.com/stagas/safe-npm","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/stagas/safe-npm","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stagas%2Fsafe-npm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stagas%2Fsafe-npm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stagas%2Fsafe-npm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stagas%2Fsafe-npm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stagas","download_url":"https://codeload.github.com/stagas/safe-npm/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stagas%2Fsafe-npm/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32255702,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-25T04:23:17.126Z","status":"ssl_error","status_checked_at":"2026-04-25T04:21:53.360Z","response_time":59,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["npm","security","time-travel"],"created_at":"2024-10-31T05:09:17.451Z","updated_at":"2026-04-25T08:36:00.370Z","avatar_url":"https://github.com/stagas.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# safe-npm\n\nsafe npm time travel installs\n\n## Install\n\n```sh\nnpm i safe-npm-cli -g\n```\n\nYou can now use `safe-npm` wherever you were using `npm` before.\nIt's a drop-in replacement.\n\n## What is it?\n\nIt wraps and monkey-patches npm to always `install` with the `--before` option set to _**-5 (five) days**_ in the past _**\\_except\\_**_ for the dependencies you specify in the field `trustedDependencies` in `package.json`, like so:\n\n```json\n...\n  \"trustedDependencies\": [\n    \"decarg\",\n    \"pull-configs\",\n    \"vite-open\"\n  ],\n...\n```\n\nThose dependencies will bypass the `--before` option when npm tries to fetch their data. It will only work for the current project's `package.json`, not for dependencies but they will apply to the entire tree so you can point to a deep package as well. This new field is meant to let you still work on modules _**you**_ publish while still mitigate against some of the risks related to 0-day (\u003c5-day :) supply-chain attacks.\n\nOther than that, it should behave exactly like `npm` does so it's drop-in replacement. You can use `safe-npm` wherever you were using `npm` previously.\n\nIf you don't want to use this package and you still want to use time travel you can run this command:\n\n```sh\nnpm i --before=`date -I -d '-5 days'`\n```\n\nBut this has the problem that it will not pick up packages you just published so you'll be forced to do normal installs for them **which means** that **their** dependencies will NOT be time travelled and be subject to the same security issue. That's the reason this package was made for.\n\n## Disclaimer\n\nThis is a hacky solution and will probably fail miserably in random situations. Use at your own risk.\n\n## License\n\nMIT \u0026copy; 2022\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstagas%2Fsafe-npm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstagas%2Fsafe-npm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstagas%2Fsafe-npm/lists"}