How Do I Secure npm When Using AI Coding Assistants?
For Security-conscious developers using AI coding assistants (Copilot, Cursor, Aider) · Based on npm Supply Chain Lockdown Framework
// TL;DR
AI coding assistants like Copilot, Cursor, and Aider frequently suggest `npm install` commands that add unnecessary dependencies or include flags that bypass your security settings. The npm Supply Chain Lockdown Framework provides seven automated defenses — release age gating, install script blocking, exotic dependency restrictions, pre-installation firewalls, lock file validation, clean installs, and deliberate upgrade habits — that protect you even when AI-generated commands try to circumvent them. Apply it to any project where an AI assistant has write access to your terminal or generates dependency-related code.
Why Do AI Coding Assistants Create npm Supply Chain Risk?
AI assistants introduce two specific supply chain risks that manual development doesn't:
1. Unnecessary dependencies: LLMs default to suggesting package installations for functionality that native APIs or simple utility functions handle perfectly. Every additional package increases your attack surface, and attacks spread through transitive dependencies. When an AI suggests `npm install lodash` for a single array operation, it's adding a dependency tree you don't need.
2. Bypass flags: LLM-generated install commands may silently include flags that override your release age gating, pulling the latest version of a package regardless of your configured age window. If you paste and run the command without reviewing it, your protection is nullified.
The Lockdown Framework's config-level protections cannot be bypassed by most AI-generated commands, but some flags can override config settings. Vigilance on AI output is essential.
How Do I Configure the Framework to Catch AI-Generated Risks?
Release Age Gating: Set this in your config file, not as a CLI flag. Config-file settings apply by default to every install command. An AI-generated command would need to explicitly override the config to bypass it — which is visible and reviewable.
Install Script Blocking: Same principle. Set `ignore-scripts=true` in .npmrc or rely on pnpm/bun defaults. The AI can't re-enable scripts without modifying your config file, which should be reviewed in version control.
Firewall Tool: Alias your install command to Socket or npq. Even if the AI generates `npm install malicious-package`, the firewall intercepts it before the package reaches your machine.
The critical habit: Before accepting any AI-suggested `npm install` command, ask yourself two questions: (1) Can I write this in 20 lines instead of importing a package? (2) Does this command include any flags I didn't ask for?
In agentic coding contexts where the AI can execute commands autonomously, the config-level protections are your last line of defense. Make sure they're set.
What Should I Do Instead of Installing AI-Suggested Packages?
Ask the AI to write the utility function directly. Instead of `npm install axios`, ask it to write a fetch wrapper. Instead of `npm install uuid`, ask for a `crypto.randomUUID()` call. Instead of `npm install dayjs`, ask for native `Intl.DateTimeFormat` usage.
This approach eliminates the dependency entirely — zero attack surface from that functionality. The code is fully visible in your codebase, reviewable, and doesn't pull in a transitive dependency tree you've never audited.
For packages that genuinely require complex native functionality (database drivers, image processing, cryptographic libraries), installation is appropriate. Apply all seven framework layers and verify the package through your firewall tool.
How Do I Audit Dependencies an AI Has Already Added to My Project?
If you've been using an AI assistant and haven't yet applied the Lockdown Framework:
1. Review your `package.json` for packages that could be replaced with native code.
2. Run your firewall tool against the full dependency tree.
3. Check your lock file with lockfile-lint (npm/bun) for URL integrity.
4. Enable all seven layers of the framework.
5. Clear your package manager cache so every cached package is re-scanned.
Going forward, treat every AI-suggested dependency as an attack surface decision. The framework's automated layers will catch most threats, but the habit of minimizing dependencies is your most powerful defense.
Start now: add age gating to your config file and alias your install command to a firewall tool. These two changes alone block the majority of supply chain attacks, including those introduced through AI-generated commands.
// FREQUENTLY ASKED QUESTIONS
Can GitHub Copilot bypass my npm security settings?
Copilot-generated install commands can include flags that override config-file settings like release age gating. For example, a command with a `--prefer-latest` or explicit version flag may bypass your age window. However, Copilot cannot bypass firewall tool aliases, install script blocking set in config files, or CI-level lockfile-lint checks. Always review AI-generated install commands before running them, and ensure your protections are set at the config level rather than relying on CLI defaults.
Should I ask my AI coding assistant to write utility functions instead of installing packages?
Yes, whenever the functionality is achievable with native APIs or a small utility function. Modern JavaScript provides fetch, crypto.randomUUID(), Intl.DateTimeFormat, structuredClone, and many other built-ins that replace common package dependencies. Asking the AI to write the code directly eliminates the dependency and its entire transitive tree from your attack surface. Reserve package installations for genuinely complex functionality like database drivers or image processing libraries.
How do I audit a project where an AI has been adding dependencies without oversight?
Start by reviewing package.json for unnecessary packages replaceable with native code. Install a firewall tool (Socket or npq), alias your install command, and clear your package manager cache. Run lockfile-lint (for npm/bun) to check lock file integrity. Enable all seven layers of the Lockdown Framework. Then systematically remove packages the AI added that can be replaced with utility functions, reducing your attack surface going forward.