Docs / Getting Started / Consumer setup
Consumer Setup
Verify your npm dependencies in 2 minutes.
1. Install npmvc
# Install globally (recommended)
npm install -g @ajna-inc/npmvc
# Or as a dev dependency
npm install -D @ajna-inc/npmvc
# pnpm add -D @ajna-inc/npmvc
# yarn add -D @ajna-inc/npmvc2. Set up the verification hook
# Default — block on explicit failures, warn on unattested deps
npmvc install-hook
# Or:
npmvc install-hook --preset strict # block on unattested too
npmvc install-hook --preset permissive # warn-only (legacy 0.4.x behavior)This adds a preinstall hook to your package.json and writes npmvc-policy.json. Every subsequent npm install runs verification automatically. Works with npm, pnpm, and yarn.
What gets checked
- Signatures — every attestation is verified against the publisher's DID
- Tarball digest — installed bytes are hashed and compared to the signed claim
- Revocation — credentials on the registry's revocation list are refused
- Age — versions younger than
minAge(default 7 days) are flagged - Publisher continuity — DID changes across versions block (did:webvh rotations allowed via SCID)
- Trust root —
trustedIssuersURL is fetched and its Ed25519 signature verified against the pinned root DID - Lifecycle scripts —
postinstallscripts flagged unless whitelisted - Transitive deps — the entire lockfile tree is walked
- Audit credentials — only DIDs in
trustedAuditIssuers(when set) count; credentials older thanauditMaxAgeare rejected
Preset behavior
| Preset | Bad sig | Tampered bytes | Revoked | Unattested |
|---|---|---|---|---|
| strict | block | block | block | block |
| balanced (default) | block | block | block | warn |
| permissive | warn | warn | warn | warn |
Verify manually
npmvc verify
npmvc verify --json
npmvc verify --report report.jsonSkip temporarily
There is no env-var bypass. To temporarily disable verification, edit package.json#scripts.preinstall directly (e.g. comment it out for the affected install).