What does dnpm check scan for?

dnpm check runs a 6-point security scan: lockfile integrity (detects registry poisoning), npm audit (known CVEs), signature verification (tamper detection), Socket.dev behavioral analysis (suspicious runtime behaviors), deprecated package detection, and container image CVE scanning via Trivy. Reports are saved to .dnpm/reports/ with timestamped files and a latest.txt symlink.

Does dnpm modify my CLAUDE.md?

Yes, dnpm setup automatically prepends dnpm usage instructions to your project's CLAUDE.md so AI coding assistants use ./dnpm instead of bare npm. If no CLAUDE.md exists, one is created. The injection is idempotent — running setup multiple times will not duplicate the instructions.

dnpm - Secure Docker NPM Wrapper & Configurator

Generate a hardened Docker-based npm wrapper that sandboxes every install, build, and dev command. Blocks postinstall attacks, drops all capabilities, runs as non-root, builds with zero network access, and includes a 6-point security scanner.

X Facebook LinkedIn Reddit

Quick Start

3 commands to a secure npm workflow

terminal

# Download files below or configure + download zip
$ ./dnpm setup
$ ./dnpm run dev
$ ./dnpm install axios  # sandboxed, safe from supply chain attacks

# React Native / Expo? Sync modules to host:
$ ./dnpm sync            # copies sandboxed modules for Metro/Xcode

Project Settings

Project Name

Framework

Node.js Version

Dev Server Port

Resource Limits

Memory Limit

CPU Limit

Max PIDs

/tmp Size

Enable file polling (macOS + Docker)

Required for HMR when using Docker on macOS. Disable on Linux for better performance.

Full Secure Workflow

Install, scan, and develop — every step protected.

./dnpm setup

Install deps in sandbox (scripts blocked, then rebuild offline)

Install

./dnpm check

Audit vulnerabilities, verify signatures, scan for suspicious behavior

Scan

./dnpm install <pkg>

Add a package (sandboxed, writable lockfile)

Install

./dnpm ci

Clean install from lockfile (two-phase, deterministic)

Install

./dnpm syncRN/Expo only

Copy sandboxed modules to host (React Native, Expo, Metro)

Bridge

./dnpm run dev

Start dev server inside container

Runtime

./dnpm run build

Production build with zero network access

Runtime

./dnpm audit

Verify package signatures against npm registry

Scan

./dnpm shell

Open a debug shell inside the container

Debug

./dnpm nuke

Remove all volumes and rebuild from scratch

Debug

12 Security Layers

Every npm operation runs inside a hardened container with these protections active.

12 / 12

Read-Only Mount01

Your project source is mounted read-only. Malicious packages cannot modify your code, inject backdoors, or tamper with build scripts.

All Capabilities Dropped02

All Linux capabilities are dropped (CAP_NET_RAW, CAP_SYS_ADMIN, etc.). Packages cannot sniff network traffic, mount filesystems, or escalate privileges.

Seccomp Filtering03

Custom seccomp profile restricts syscalls to a whitelist. Socket creation is limited to AF_UNIX, AF_INET, AF_INET6, and AF_NETLINK only.

Postinstall Blocked04

NPM lifecycle scripts (postinstall) are disabled by default. The #1 supply chain attack vector (like the axios RAT) is neutralized.

Offline Builds05

Build and rebuild commands run with network_mode: none. Even if a script slips through, it cannot phone home or exfiltrate data.

Non-Root User06

All operations run as the node user (UID 1000). No root access inside the container, preventing privilege escalation.

Registry Pinned07

npm registry is pinned to registry.npmjs.org. Prevents dependency confusion attacks where private package names are hijacked on alternate registries.

No-Exec /tmp08

/tmp is mounted with noexec flag. Malicious scripts cannot download and execute binaries from temp directories — a common attack pattern.

no-new-privileges09

The no-new-privileges security option prevents setuid/setgid binaries from gaining elevated permissions inside the container.

Resource Limits10

Memory, CPU, and PID limits prevent fork bombs and resource exhaustion attacks. A malicious package cannot crash your system.

Lockfile Integrity11

Before every install, dnpm checks package-lock.json for non-npmjs.org URLs that could indicate lockfile poisoning attacks.

Two-Phase Install12

Dependencies download with scripts disabled (Phase 1), then postinstall runs with zero network (Phase 2). Separates fetching from execution.

npm vs bun vs dnpm

dnpm provides defense-in-depth that npm and bun cannot match.

Protection	npm	bun	dnpm
Runs postinstall by default	!	—	—
Read-only project mount	—	—	✓
Offline builds (no network)	—	—	✓
Seccomp syscall filtering	—	—	✓
Non-root container user	—	—	✓
All capabilities dropped	—	—	✓
noexec /tmp	—	—	✓
Lockfile integrity check	—	—	✓
Registry pinned to npmjs.org	—	—	✓
Resource limits (memory/CPU/PIDs)	—	—	✓

How to Generate a Secure npm Sandbox

1

Enter your project details

Set your project name, select a framework (React, Next.js, Astro, etc.), choose a Node.js version, and configure the dev server port.
2

Configure resource limits

Set memory limits, CPU quotas, max PIDs, and /tmp size. These prevent runaway scripts from consuming host resources during installs or builds.
3

Review the security layers

The generator automatically enables 12 security layers including two-phase install, capability dropping, seccomp filtering, non-root execution, and registry pinning.
4

Download or copy the config files

Get the generated Dockerfile, docker-compose.yml, and dnpm wrapper script. Copy them into your project root and run ./dnpm setup to start.
5

Run your first sandboxed install

Use ./dnpm install to add packages safely. Phase 1 downloads with scripts disabled, Phase 2 rebuilds with zero network access. Run ./dnpm check for a full security scan.

Common Use Cases

Preventing Supply Chain Attacks

Run npm install inside a container that drops all capabilities, disables network during rebuild, and filters syscalls. Malicious postinstall scripts cannot escape the sandbox.

Securing CI/CD Pipelines

Use dnpm in your CI pipeline to install dependencies in a hardened container. The lockfile integrity check detects any non-npmjs.org URLs before installing.

Safe Open Source Evaluation

Try unfamiliar npm packages without risking your development machine. The sandbox blocks filesystem access, network calls, and privilege escalation.

Why Use dnpm?

The npm ecosystem faces a growing supply chain attack surface. In April 2026, compromised versions of axios (1.14.1 and 0.30.4) were published with a remote access trojan hidden in a postinstall script. Running npm install on bare metal means these scripts execute with full access to your filesystem, SSH keys, and credentials. dnpm wraps every npm operation inside a hardened Docker container. Your project is mounted read-only, all Linux capabilities are dropped, and postinstall scripts are disabled by default. When you do need lifecycle scripts (like native module compilation), they run in a separate phase with zero network access — so even if malicious code executes, it cannot phone home or exfiltrate data. The dnpm check command runs a 6-point security scan after every setup: lockfile integrity, npm audit, signature verification, Socket.dev behavioral analysis, deprecated package detection, and container image CVE scanning via Trivy. Reports are saved to .dnpm/reports/ with timestamped files and a latest.txt for easy review. dnpm setup also auto-injects usage instructions into your project's CLAUDE.md, ensuring AI coding assistants use the sandboxed wrapper instead of bare npm. The injection is idempotent and safe to run repeatedly. Unlike bun's approach of simply skipping postinstall scripts, dnpm provides defense in depth: seccomp syscall filtering, noexec tmp, non-root user, resource limits, and lockfile integrity checks. It works with any Node.js project and requires only Docker.

The dnpm Configurator generates a complete, hardened Docker-based npm wrapper tailored to your project. Supply chain attacks targeting the npm ecosystem have increased significantly, with compromised packages using postinstall scripts to exfiltrate credentials, SSH keys, and environment variables from developer machines. dnpm addresses this by running every npm operation inside an isolated Docker container with 12 security layers. The two-phase install process first downloads packages with lifecycle scripts disabled, then rebuilds native modules in a second phase with zero network access, preventing malicious code from phoning home even if it executes. Additional protections include read-only project mounts, all Linux capabilities dropped, seccomp syscall filtering, non-root execution, noexec on /tmp, registry pinning to npmjs.org, and configurable resource limits for CPU, memory, and process count. The built-in dnpm check command runs a 6-point security scan covering lockfile integrity, npm audit, signature verification, Socket.dev behavioral analysis, deprecated package detection, and container image CVE scanning via Trivy. This configurator lets you visually set your project name, framework, Node.js version, dev port, and resource limits, then generates the Dockerfile, docker-compose.yml, and wrapper script ready to download. Everything runs in the browser with no data uploaded to any server.

Frequently Asked Questions

Does dnpm replace npm?

No. dnpm wraps npm inside a secure Docker container. Every npm command you know still works — dnpm just adds isolation and security layers around it.

Will my npm scripts still work?

Yes. Scripts defined in package.json (dev, build, test, etc.) work normally. Lifecycle scripts like postinstall are disabled by default but run in the offline rebuild phase when you use dnpm setup or dnpm ci.

Does it work with yarn or pnpm?

The generated setup is npm-focused, but you can modify the Dockerfile and compose file to use yarn or pnpm instead. The security model (read-only mount, seccomp, capability dropping) works identically.

Why not just use bun?

Bun skips postinstall scripts by default, which helps. But the malicious code still gets downloaded to node_modules, and bun doesn't provide filesystem isolation, capability dropping, seccomp filtering, or network isolation. dnpm provides defense in depth.

Is there a performance impact?

Docker adds minimal overhead for dev servers and builds. The initial image build takes ~30 seconds. After that, dnpm run dev starts as fast as native npm. File watching works via polling (configurable) which uses slightly more CPU on macOS.

Related Tools

Loadbalancer Design

Developers

Json Formatter

Developers

Json Minifier

Developers

Json Escaper

Developers

Url Params To Json

Developers

Json To Url Params

Developers

Json Path Finder

Developers

Json To Html Form

Developers

Json To Tailwind Form

Developers

Json To Bootstrap Form

Developers

Json To React Form

Developers

Form To Json Schema

Developers

Yolobox Configurator: Generate AI Sandbox Configs in Seconds 7 min read

npm Supply Chain Attacks: How to Secure npm install With Docker Sandboxing 6 min read

Yolobox: Run AI Coding Agents Safely Inside Containers 5 min read

Quick Start

Project Settings

Resource Limits

Full Secure Workflow

12 Security Layers

npm vs bun vs dnpm

How to Generate a Secure npm Sandbox

Enter your project details

Configure resource limits

Review the security layers

Download or copy the config files

Run your first sandboxed install

Common Use Cases

Preventing Supply Chain Attacks

Securing CI/CD Pipelines

Safe Open Source Evaluation

Why Use dnpm?

Frequently Asked Questions

Does dnpm replace npm?

Will my npm scripts still work?

Does it work with yarn or pnpm?

Why not just use bun?

Is there a performance impact?

Related Tools

Related Guides

Rate This Tool

Get Weekly Tools

Suggest a Tool