Created and maintained by https://safedep.io with contributions from the community 🚀
🤖 PMG protects developers from getting compromised by malicious packages. See example
- Wraps your favorite package manager (eg.
npm) - Blocks malicious packages at install time
- No configuration required, just install and use
Install pmg
brew install safedep/tap/pmgSet up pmg to protect you development environment from malicious packages:
echo "alias npm='pmg npm'" >> ~/.zshrc
echo "alias pnpm='pmg pnpm'" >> ~/.zshrc
source ~/.zshrc
Continue using your favorite package manager as usual:
npm install <package-name>pnpm add <package-name>- 🚫 Malicious package identification using SafeDep Cloud
- 🌲 Deep dependency analysis and transitive dependency resolution
- ⚡ Fast and efficient package verification
- 🔄 Seamless integration with existing package managers
PMG supports the following package managers:
| Package Manager | Status | Command |
|---|---|---|
npm |
✅ Active | pmg npm install <package> |
pnpm |
✅ Active | pmg pnpm add <package> |
yarn |
🚧 Planned | |
pip |
🚧 Planned | |
poetry |
🚧 Planned | |
uv |
🚧 Planned |
Want us to support your favorite package manager? Open an issue and let us know!
You can install pmg using homebrew in MacOS and Linux
brew tap safedep/tap
brew install safedep/tap/pmgDownload the latest binary from the releases page.
Ensure $(go env GOPATH)/bin is in your $PATH
go install github.com/safedep/pmg@latestInstall a package with npm or pnpm:
pmg npm install <package-name>
pmg pnpm add <package-name>Set shell alias for convenience:
alias npm="pmg npm"
alias pnpm="pmg pnpm"Continue using your favorite package manager as usual:
npm install <package-name>pnpm add <package-name>Use the --silent flag to run PMG in silent mode:
pmg --silent npm install <package-name>Use the --verbose flag to run PMG in verbose mode:
pmg --verbose npm install <package-name>Use the --debug flag to enable debug mode:
pmg --debug npm install <package-name>Store the debug logs in a file:
pmg --debug --log /tmp/debug.json npm install <package-name>Refer to CONTRIBUTING.md
Approximate dependency version resolution
pmg resolves the transitive dependencies of a package to be installed. It does it by querying
package registry APIs such as npmjs and pypi. However, almost always, dependency versions are
specified as ranges instead of specific version. Different package managers have different ways of
resolving these ranges. It also depends on peer or host dependencies already available in the application.
pmg is required to block a malicious package before it is installed. Hence it applies its own heuristic
to choose a version from a version range for evaluation. This is fine when all versions of a given package
is malicious. However, there is a possibility of inconsistency when a specific version of a package is malicious.