𝗛𝗼𝘄 𝗧𝗼 𝗘𝘃𝗮𝗹𝘂𝗮𝘁𝗲 𝗔𝗻 𝗡𝗣𝗠 𝗣𝗮𝗰𝗸𝗮𝗴𝗲

𝗛𝗼𝘄 𝗧𝗼 𝗘𝘃𝗮𝗹𝘂𝗮𝘁𝗲 𝗔𝗻 𝗡𝗣𝗠 𝗣𝗮𝗰𝗸𝗮𝗴𝗲

Running npm install adds stranger's code to your production app. This code accesses your files. It reads your environment variables. It steals your data. You trust a stranger with your infrastructure.

Stars and downloads do not prove a package is safe. Supply chain attacks are common. Attackers hijack popular packages. AI tools suggest fake package names. This is slopsquatting. Verify every package an LLM suggests.

Use this process to pick safe packages.

Ask the first question: do you need this dependency? If the package disappears tomorrow, how hard is it to replace? If the answer is hard, the risk is high. If you need one helper function, write it yourself.

Check the maintenance:

• Look at the Issues tab on GitHub.
• See if the author ignores old bugs.
• Filter out bot commits.
• Check for a detailed changelog.
• Identify if one person does all the work.

Verify the source:

• Look for the green Provenance badge on npmjs.com.
• This proves the code matches the GitHub commit.
• Run npm audit signatures in your terminal.
• Check for unexplained install scripts in package.json.

Check the quality:

• Look for a SECURITY.md file.
• Check if TypeScript strict mode is on.
• See if CI tests run on pull requests.

If you have five minutes, check these three things:

• Is the package necessary?
• Does it have provenance?
• Does it have weird install scripts?

Source: https://dev.to/gkoos/how-to-evaluate-an-npm-package-2026-edition-e8j