The gap
npm audit runs after the install. By then the package — and any
postinstall script it shipped — is already on your machine. For
supply-chain attacks, "after" is too late.
So I built Vault: an npm-compatible, pnpm-style package manager (written
in Rust) that makes the security check part of install itself.
## What it does before touching node_modules
-
Blocks known CVEs. It audits the resolved graph (OSV + a static scan)
and refuses to install critical/high vulnerabilities.
--forceexists, but you have to mean it. -
No lifecycle scripts by default.
postinstallis the classic malware entrypoint; Vault doesn't run it unless you allow it, and installs run in a Landlock sandbox. - Takeover signals. It warns when a package was published moments ago or when its maintainer count suddenly drops.
## A real block
A project had "vite": "^5.4.11". npm/pnpm happily resolve that to 5.4.21
and install it. That version sits inside the affected range of
GHSA-fx2h-pf6j-xcff (CVE-2026-53571, CVSS 8.2). Vault:
✗ BLOCKED vite@5.4.21: critical/high CVE(s): GHSA-fx2h-pf6j-xcff
error: security policy blocked install
One bump to the patched line and the install went through clean.
## Isn't auditing slow?
It's pnpm-style under the hood (content-addressable store + hard links). In
my tests it lands within ~0.2s of pnpm on a warm cache while running a full
audit every install. It's not faster than pnpm — the point is you don't pay
a real speed tax for the safety.
## Try it / break it
It's early (v0.1.3) and I want the rough edges found.
bash
npm i -g vaultpm # bins: vault / vt
vault install
Repo: https://github.com/Matheusagostinho/vaultpm — issues and harsh feedback
very welcome.