Policy Configuration

npmvc-policy.json controls what gets checked and how strictly.

Full schema

{
  "enforcement": "warn | block | off",
  "transitive": true,
  "minAge": "7d",
  "perPackage": { "left-pad": "30d" },
  "unattested": "warn | block | allow",
  "unattestedMinAge": "30d",
  "trustedIssuers": ["did:key:z6Mk..."],
  "requireAuditWithin": "90d",
  "registry": "https://npmvc.com",
  "publisherContinuity": {
    "required": true,
    "onUnauthorizedChange": "warn | block",
    "pinned": { "express": "did:key:z6Mk..." }
  },
  "revocation": {
    "required": false,
    "checkVia": "webvh | none",
    "registryUrl": "https://npmvc.com",
    "maxCacheAge": "10m"
  },
  "waivers": [{
    "package": "legacy-dep",
    "versionRange": "*",
    "reason": "reviewed manually",
    "expiresAt": "2027-01-01"
  }],
  "lifecycleScripts": {
    "postInstall": "forbidden | whitelisted | allowed",
    "whitelist": ["esbuild", "sharp"]
  },
  "licenses": {
    "allowed": ["MIT", "Apache-2.0", "ISC"],
    "denied": ["AGPL-3.0", "SSPL-1.0"]
  }
}

enforcement

off — skip checks. warn — report but allow. block — exit non-zero on failures.

minAge

Reject versions published less than this duration ago. Formats: 7d, 24h, 30m, 1y.

unattested

Packages with no attestation bundle. allow accepts silently; warn logs; block fails.

publisherContinuity

Detect when a package's publisher DID changes. pinned maps package names to expected DIDs.

waivers

Explicit exceptions for reviewed packages. Downgrades failures to warnings. Supports expiresAt.

lifecycleScripts

forbidden — fail on any install script. whitelisted — allow named packages. allowed — no restriction.

licenses

SPDX license filtering. allowed is a whitelist; denied is a blacklist.