Background

Recently, there have been multiple npm supply-chain poisoning incidents, and occasional npm users—especially newcomers—are feeling anxious.

How do you all respond to such threats?

A few examples of poisoning incidents (many more can be found with a quick Google search):

• TanStack npm supply chain poisoned – Frontier News – LINUX DO
• axios npm supply chain poisoned!!! – Frontier News – LINUX DO

Related Resources Compiled

• Reflecting on npm poisoning incidents: I built Shield, a macOS file-guarding tool based on FUSE – V2EX
• Add a security layer to npm install using socket.dev – V2EX
• Introducing “safe npm”, a Socket npm wrapper – Socket
• A lightweight CLI tool to quickly scan local npm packages for poisoning (pnpm) – Development Optimization – LINUX DO

pnpm audit is a command used to check for known security vulnerabilities in your project’s dependencies.

How it works:

1. Reads your dependency tree, including both direct and transitive dependencies
2. Compares against public vulnerability databases, such as the GitHub Advisory Database
3. Reports discovered vulnerabilities, including:
   • Affected package name and version
   • Severity level (low / moderate / high / critical)
   • Vulnerability description and CVE identifier
   • Recommended secure version to upgrade to

Difference from Socket CLI:

In short, pnpm audit is a free, no-setup basic security check—ideal for quickly scanning known vulnerabilities. Socket, by contrast, provides broader coverage, detecting advanced threats such as supply chain attacks.

Would you like me to run pnpm audit for you to see whether your current dependencies contain any known vulnerabilities?