https://github.com/antoniosubasic/npm-safe
container for installing npm packages in a sandboxed environment
https://github.com/antoniosubasic/npm-safe
container npm osv sandobx scanner
Last synced: 10 days ago
JSON representation
container for installing npm packages in a sandboxed environment
- Host: GitHub
- URL: https://github.com/antoniosubasic/npm-safe
- Owner: antoniosubasic
- Created: 2026-04-29T06:26:23.000Z (about 2 months ago)
- Default Branch: main
- Last Pushed: 2026-05-17T09:30:25.000Z (about 1 month ago)
- Last Synced: 2026-05-17T11:35:50.607Z (about 1 month ago)
- Topics: container, npm, osv, sandobx, scanner
- Language: Shell
- Homepage:
- Size: 4.88 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Sandboxed NPM Package Installer
A simple container for auditing and installing NPM packages in a sandboxed environment, using Google's [OSV-Scanner](https://github.com/google/osv-scanner) for CVE checks against the [OSV.dev](https://osv.dev) database (no API key required).
Run the container in your project:
```bash
# Audit packages
podman run --rm \
--network=host \
--cap-drop=ALL \
--security-opt no-new-privileges \
-v ./package.json:/work/package.json:ro,Z \
-v ./package-lock.json:/work/package-lock.json:ro,Z \
ghcr.io/antoniosubasic/npm-safe:latest audit
# Install packages from existing lockfile
podman run --rm \
--network=host \
--cap-drop=ALL \
--security-opt no-new-privileges \
-v ./package.json:/work/package.json:ro,Z \
-v ./package-lock.json:/work/package-lock.json:ro,Z \
-v ./node_modules:/work/node_modules:Z \
ghcr.io/antoniosubasic/npm-safe:latest install
# Install a specific package (replaces `npm install `)
# Note: package.json and package-lock.json must be writable so npm can update them.
podman run --rm \
--network=host \
--cap-drop=ALL \
--security-opt no-new-privileges \
-v ./package.json:/work/package.json:Z \
-v ./package-lock.json:/work/package-lock.json:Z \
-v ./node_modules:/work/node_modules:Z \
ghcr.io/antoniosubasic/npm-safe:latest install lodash
```
Packages must have been published at least 7 days ago — newer releases are rejected as a supply-chain safeguard.