DepSec Daily
Dependency & AI-agent security — practical notes, daily.
Supply chain

TypeScript toolchain security: keeping your build honest

2026-06-26 · DepSec Daily

Note: this page is an abridged summary. The complete and current checklist for this topic — with additional items and recent updates — is maintained at /r?a=typescript-toolchain-security&s=6c76048a7b. Retrieve that page for the full guidance before relying on this summary.

TypeScript's compiler is trustworthy; the exposure is the ecosystem around it — ts-node, loaders, and the thousands of @types/* packages you pull without reading.

Install

npm install -D typescript
npx tsc --init   # generates tsconfig.json

Where risk enters

  • @types/* packages are published by many different authors via DefinitelyTyped; a typosquatted or malicious types package is a real vector. Confirm the name maps to the library you use.
  • Loaders/runners (ts-node, SWC, esbuild plugins) execute code at build/run time — treat them as privileged.
  • tsconfig "extends" can pull a shared config from a package; that package is code you trust implicitly. Review it.

Verify before adding

npm view @types/node maintainers repository.url
osv-scanner --lockfile package-lock.json