safe-npm is a security-focused npm installer designed to protect projects from compromised packages. It addresses the rising threat of supply chain attacks, where attackers exploit legitimate npm packages by stealing maintainer credentials or publishing malicious updates. To mitigate this risk, safe-npm only installs package versions that have been publicly available for at least 90 days by default. This waiting period allows time for security experts to identify and report any malicious changes before they can affect users' projects. When you use safe-npm, it reads your dependencies from your project's package.json or command-line inputs, queries the npm registry for available versions, and filters out any that were published too recently. For example, if you request a package like react@^18 and a harmful version was released yesterday, safe-npm will install the latest version that meets the age requirement instead. There are various options for customization, including setting your own minimum age for package versions and specifying which packages can bypass the age checks entirely. The tool also supports different configurations for development and production environments, allowing users to apply stricter age policies to production dependencies while being more lenient on dev dependencies. You can run a dry-run to preview the versions that would be installed without making actual changes, which is useful for testing configurations. While safe-npm enhances security by delaying the installation of newer packages, it requires careful consideration of the trade-offs, as older versions may have undiscovered vulnerabilities. Regular security audits and monitoring are recommended as part of a comprehensive security strategy.