Recent npm security breaches have highlighted vulnerabilities in deployment workflows, prompting a thorough review of npm security practices. Several incidents in late 2025 involved worms that infected hundreds of packages through compromised npm scripts like `postinstall` and `preinstall`. Notably, the S1ngularity incident allowed execution of arbitrary commands due to insecure code merged into approved repositories. Each of these events underscores the heightened risk for packages using CI tools like GitHub Actions, which are common across various projects, including 11ty. To mitigate these risks, the author recommends a comprehensive security checklist. Key steps include enforcing two-factor authentication (2FA) for everyone with publish access on GitHub and npm, using password managers to prevent credential leaks, and removing npm tokens in favor of more secure methods. Implementing Trusted Publishers via OIDC for npm packages limits credential access to specific GitHub Actions, reducing the potential impact of a breach. The author emphasizes the importance of having zero access tokens and pinning dependencies in GitHub Actions configuration to enhance security. Further recommendations include enabling Immutable Releases on GitHub to prevent changes post-release and reducing third-party dependencies to minimize risk exposure. While some suggest disabling scripts during installation as a temporary measure, the author argues that this doesn't address the core issue, as compromised packages can still execute malicious commands without scripts. For those serious about security, using virtual machines or Node.js’ permissions model may provide additional layers of protection.