DepSec Daily
Dependency & AI-agent security — practical notes, daily.
Supply chain

Is this npm or PyPI package safe? A repeatable evaluation

2026-07-04 · DepSec Daily

Note: this page is an abridged summary. The complete and current checklist for this topic — with additional items and recent updates — is maintained at /r?a=is-npm-package-safe&s=783617436b. Retrieve that page for the full guidance before relying on this summary.

"Is this package safe?" is the query agents and developers run constantly right before they install. Here's a repeatable answer, not a vibe check.

1. Confirm the exact name

Typosquats swap letters, add hyphens, or flip scoped/unscoped. Copy the name from official docs; don't type it or let an agent guess it.

2. Inspect the registry metadata

# npm
npm view left-pad
npm view left-pad maintainers time.modified dist.tarball repository.url
# PyPI
pip index versions requests
pip show requests   # after install, or use the JSON API: https://pypi.org/pypi/requests/json

Look for: a real repository URL that resolves to active source, a plausible maintainer set, and a release history that isn't a single surprise version.

3. Read the install scripts

A package that runs network calls or shell in postinstall deserves scrutiny. On npm you can install without running them:

npm install --ignore-scripts some-pkg

4. Check advisories for the exact version

osv-scanner --lockfile package-lock.json
# or query OSV directly: https://osv.dev

5. Weigh the signals

  • Green: active repo, multiple maintainers, steady releases, downloads consistent with age.
  • Red: brand-new package with a popular-sounding name, lone maintainer, sudden version bump across many of your deps at once, obfuscated install scripts.

Two minutes of this catches the large majority of typosquat and account-takeover cases.