@libguard/cli

Supply-chain attack protection for npm. Checks every package against a curated registry of malicious, compromised, and typosquatted packages before installation.

Install

npm install -g @libguard/cli

Usage

Wrap your package manager command with libguard:

libguard npm install express
libguard npm install [email protected]
libguard npx create-react-app my-app

If a package is flagged, installation is blocked with details about the threat.

How it works

1. Parses the packages you're about to install
2. Checks each against the LibGuard advisory registry (API + local fallback)
3. Blocks if a match is found at or above your configured severity threshold
4. Proceeds with normal installation if clean

Configuration

Create a .libguardrc file in your project root:

{
  "blockLevel": "high",
  "strict": false,
  "cacheTtlMinutes": 15
}

Or use environment variables:

| Variable | Description | Default | |----------|-------------|---------| | LIBGUARD_API_URL | Custom API endpoint | https://api.libguard.dev/v1 | | LIBGUARD_BLOCK_LEVEL | Minimum severity to block (low, medium, high, critical) | high | | LIBGUARD_STRICT | Set to 1 to fail if API is unreachable | false | | LIBGUARD_CACHE_TTL | Cache lifetime in minutes | 15 |

Options

libguard [pm] [command] [args...]

Options:
  --allow          Skip checks (escape hatch)
  --strict         Fail if API unreachable
  --block-level    Override minimum severity
  -V, --version    Show version
  -h, --help       Show help

Offline support

LibGuard ships with a built-in static registry of ~20 known-malicious packages as a fallback when the API is unreachable. The local cache (~/.libguard/cache.json) also serves responses offline within the TTL window.

License

MIT