DEV Community


Posted on

How to prevent other team member installing new npm package?


  • Only the project owner can install new npm package.
  • npm install should work for local development and CI/CD pipeline.
  • When other team member run npm install <PackageName> command, it should print an error message like: "Installing new npm package is prevent, please contact the project owner."

Motivation: I don't want other team member install package at will. I want to limit this behavior through code or script.

This is an optional-based question, Thanks for any advice.

Top comments (6)

lexlohr profile image
Alex Lohr

I believe you should focus on your repository and process (code review) in order to allow your team to earn your trust instead of preventing them from explorative use of external packages. Without trust, a team will never work smoothly, because everyone is watching their back. Also, document the handling of external packages in the README so that everyone can get the rationale behind it.

tinkermakar profile image

You can

  1. Restrict pushing to main branches directly, only pull requests are allowed
  2. Draft a GitHub Actions script to compare the verify package.json's hash matches a predefined hash (i.e. the file is the same as before)
  3. Make that GitHub action mandatory to merge any PR
uzair004 profile image
Muhammad Uzair

You probably need to find a way to restrict write access to package.json file,

This Stack overflow question can be helpful

wxifu profile image

Came across on old yarn issue that gave the following solution:

  "engines": {
    "npm": "anythingthatisntavalidversion",
    "yarn": "anythingthatisntavalidversion"
Enter fullscreen mode Exit fullscreen mode

within your package.json and

engine-strict = true
Enter fullscreen mode Exit fullscreen mode

in a file called .npmrc

wxifu profile image

This only prevents the use though and doesn't return a reply like the example you gave

jasoncubic profile image

Build a ci step in GitHub actions to error out when a dependency is added. Have it run on all PR's.