[{"data":1,"prerenderedAt":1807},["ShallowReactive",2],{"docs-page:\u002Fdocs\u002Fsecurity":3,"docs-pages":1470},{"id":4,"title":5,"body":6,"description":16,"extension":1463,"meta":1464,"navigation":1465,"path":1466,"seo":1467,"stem":1468,"__hash__":1469},"docs\u002Fdocs\u002Fsecurity.md","Security",{"type":7,"value":8,"toc":1445},"minimark",[9,13,17,28,38,41,66,69,129,132,136,150,190,193,204,207,231,236,256,316,341,354,358,365,379,382,446,455,462,466,471,508,511,514,529,532,585,598,617,621,624,642,648,658,677,681,710,713,741,747,755,766,784,795,850,868,885,888,894,989,1003,1006,1049,1076,1107,1110,1130,1147,1151,1165,1182,1189,1193,1199,1206,1210,1236,1256,1260,1294,1312,1326,1332,1336,1361,1371,1375,1378,1425,1441],[10,11,5],"h1",{"id":12},"security",[14,15,16],"p",{},"This page lists every security-relevant feature in scpm, its default, and the\none-line config to turn it on or off.",[14,18,19,20,27],{},"To report a vulnerability, see the ",[21,22,26],"a",{"href":23,"rel":24},"https:\u002F\u002Fgit.nik.technology\u002Fscpm\u002Fscpm\u002Fsecurity\u002Fpolicy",[25],"nofollow","security policy",".",[29,30,32,33,37],"h2",{"id":31},"the-paranoid-switch","The ",[34,35,36],"code",{},"paranoid"," switch",[14,39,40],{},"The fastest way to enable the strict bundle is one line:",[42,43,48],"pre",{"className":44,"code":45,"language":46,"meta":47,"style":47},"language-yaml shiki shiki-themes github-light github-dark","paranoid: true\n","yaml","",[34,49,50],{"__ignoreMap":47},[51,52,55,58,62],"span",{"class":53,"line":54},"line",1,[51,56,36],{"class":57},"s9eBZ",[51,59,61],{"class":60},"sVt8B",": ",[51,63,65],{"class":64},"sj4cs","true\n",[14,67,68],{},"This forces every setting in the strict bundle on, regardless of how each is\nconfigured individually:",[70,71,72,81,94,100,110,116],"ul",{},[73,74,75],"li",{},[21,76,78],{"href":77},"#jailed-lifecycle-scripts",[34,79,80],{},"jailBuilds = true",[73,82,83,89,90,93],{},[21,84,86],{"href":85},"#trust-policy",[34,87,88],{},"trustPolicy = no-downgrade"," (overrides explicit ",[34,91,92],{},"off",")",[73,95,96,99],{},[34,97,98],{},"minimumReleaseAgeStrict = true"," — turns the age gate into a hard fail\ninstead of \"fall back to the lowest satisfying version\"",[73,101,102,105,106,109],{},[34,103,104],{},"strictStoreIntegrity = true"," — fail when a tarball ships without\n",[34,107,108],{},"dist.integrity"," instead of warning",[73,111,112,115],{},[34,113,114],{},"strictDepBuilds = true"," — fail the install when a dep has unreviewed\nbuild scripts instead of silently skipping",[73,117,118,124,125,128],{},[21,119,121],{"href":120},"#typosquat-and-impersonation-protection",[34,122,123],{},"advisoryCheck = required"," —\nfail ",[34,126,127],{},"scpm add"," if OSV can't be reached instead of falling back to\ndownload-count signal alone",[14,130,131],{},"Use it when you want maximum protection without listing each setting.",[29,133,135],{"id":134},"default-deny-lifecycle-scripts","Default-deny lifecycle scripts",[14,137,138,139,142,143,142,146,149],{},"Lifecycle scripts (",[34,140,141],{},"preinstall",", ",[34,144,145],{},"install",[34,147,148],{},"postinstall",") run arbitrary code\nwhen a package is installed, which makes them a common attack vector. scpm\ndoesn't run dependency lifecycle scripts unless you've approved them\nexplicitly:",[42,151,153],{"className":44,"code":152,"language":46,"meta":47,"style":47},"# scpm-workspace.yaml\nallowBuilds:\n  esbuild: true\n  sharp: true\n",[34,154,155,161,170,180],{"__ignoreMap":47},[51,156,157],{"class":53,"line":54},[51,158,160],{"class":159},"sJ8bj","# scpm-workspace.yaml\n",[51,162,164,167],{"class":53,"line":163},2,[51,165,166],{"class":57},"allowBuilds",[51,168,169],{"class":60},":\n",[51,171,173,176,178],{"class":53,"line":172},3,[51,174,175],{"class":57},"  esbuild",[51,177,61],{"class":60},[51,179,65],{"class":64},[51,181,183,186,188],{"class":53,"line":182},4,[51,184,185],{"class":57},"  sharp",[51,187,61],{"class":60},[51,189,65],{"class":64},[14,191,192],{},"Or interactively:",[42,194,198],{"className":195,"code":196,"language":197,"meta":47,"style":47},"language-sh shiki shiki-themes github-light github-dark","scpm approve-builds\n","sh",[34,199,200],{"__ignoreMap":47},[51,201,202],{"class":53,"line":54},[51,203,196],{},[14,205,206],{},"Root-package lifecycle scripts (your own project's) still run normally; only\ndependency scripts need approval.",[14,208,209,210,215,216,219,220,223,224,227,228,27],{},"Settings: ",[21,211,213],{"href":212},"\u002Fdocs\u002Fsettings\u002F#setting-allowbuilds",[34,214,166],{},". Install adds\nunreviewed build packages to ",[34,217,218],{},"scpm-workspace.yaml"," (or ",[34,221,222],{},"pnpm-workspace.yaml","\nif one already exists) as ",[34,225,226],{},"false","; approving them flips the entry to ",[34,229,230],{},"true",[232,233,235],"h3",{"id":234},"suspicious-script-content-sniff","Suspicious-script content sniff",[14,237,238,239,242,243,245,246,248,249,251,252,255],{},"Before the warm-up nudge to run ",[34,240,241],{},"scpm approve-builds",", scpm runs a\nsmall pattern matcher against each unreviewed dep's ",[34,244,141],{}," \u002F\n",[34,247,145],{}," \u002F ",[34,250,148],{}," script bodies and surfaces a\n",[34,253,254],{},"WARN_SCPM_SUSPICIOUS_LIFECYCLE_SCRIPT"," for any that match a\nknown-dangerous shape:",[70,257,258,267,279,295,307,310],{},[73,259,260,248,263,266],{},[34,261,262],{},"curl … | sh",[34,264,265],{},"wget … | bash"," — fetch-and-pipe-to-shell.",[73,268,269,248,272,248,275,278],{},[34,270,271],{},"eval(atob(…))",[34,273,274],{},"Function(atob(…))",[34,276,277],{},"eval(Buffer.from(…))"," —\nbase64-decode-then-evaluate. Common dropper shape.",[73,280,281,282,142,285,142,288,142,291,294],{},"Reads of ",[34,283,284],{},"~\u002F.ssh",[34,286,287],{},"~\u002F.aws",[34,289,290],{},"~\u002F.npmrc",[34,292,293],{},"~\u002F.config\u002Fgh"," —\ncredential files a lifecycle script has no business touching.",[73,296,297,142,300,142,303,306],{},[34,298,299],{},"process.env.*TOKEN",[34,301,302],{},"*SECRET",[34,304,305],{},"*API_KEY",", etc. — secret-shaped\nenv vars exfilled from CI.",[73,308,309],{},"Discord webhooks, Telegram bot API, OAST collaborator hosts —\nknown exfil channels.",[73,311,312,315],{},[34,313,314],{},"http:\u002F\u002F1.2.3.4\u002F…"," bare-IP HTTP targets.",[14,317,318,319,323,324,326,327,330,331,333,334,337,338,340],{},"The sniff is ",[320,321,322],"strong",{},"advisory"," — it never blocks an install or write.\nThe ",[34,325,166],{}," allowlist remains the only gate on whether\nscripts actually execute. The signal is intended to give the user\nsomething more than ",[34,328,329],{},"name@version"," to judge by when deciding\nwhether to approve a build. ",[34,332,241],{}," repeats the same\nwarnings inline next to each picker entry, and ",[34,335,336],{},"scpm ignored-builds"," lists them under each ",[34,339,329],{}," line.",[14,342,343,344,346,347,349,350,353],{},"False positives are possible (an SDK that legitimately hits a\nDiscord webhook from a ",[34,345,148],{}," would flag), but lifecycle\nscript bodies are short and almost never contain bare\n",[34,348,262],{}," legitimately. To bypass for a known-good package,\nadd it to ",[34,351,352],{},"allowBuilds: true"," once you've inspected the script —\nthe warning has done its job.",[29,355,357],{"id":356},"jailed-lifecycle-scripts","Jailed lifecycle scripts",[14,359,360,361,364],{},"When a dependency is approved to build, jailing keeps it from getting your\nfull filesystem, network, and environment. On macOS scpm wraps the script with\na Seatbelt profile; on Linux it applies Landlock and seccomp before exec. Both\ndeny network access and limit writes to package and jail-owned temporary\ndirectories. On Windows the env is scrubbed and ",[34,362,363],{},"HOME"," is redirected to a\ntemporary directory.",[42,366,368],{"className":44,"code":367,"language":46,"meta":47,"style":47},"jailBuilds: true\n",[34,369,370],{"__ignoreMap":47},[51,371,372,375,377],{"class":53,"line":54},[51,373,374],{"class":57},"jailBuilds",[51,376,61],{"class":60},[51,378,65],{"class":64},[14,380,381],{},"Grant narrow exceptions per-package instead of disabling the jail wholesale:",[42,383,385],{"className":44,"code":384,"language":46,"meta":47,"style":47},"jailBuilds: true\njailBuildPermissions:\n  sharp:\n    env: [SHARP_DIST_BASE_URL]\n    write: [\"~\u002F.cache\u002Fsharp\"]\n    network: true\n",[34,386,387,395,402,408,423,436],{"__ignoreMap":47},[51,388,389,391,393],{"class":53,"line":54},[51,390,374],{"class":57},[51,392,61],{"class":60},[51,394,65],{"class":64},[51,396,397,400],{"class":53,"line":163},[51,398,399],{"class":57},"jailBuildPermissions",[51,401,169],{"class":60},[51,403,404,406],{"class":53,"line":172},[51,405,185],{"class":57},[51,407,169],{"class":60},[51,409,410,413,416,420],{"class":53,"line":182},[51,411,412],{"class":57},"    env",[51,414,415],{"class":60},": [",[51,417,419],{"class":418},"sZZnC","SHARP_DIST_BASE_URL",[51,421,422],{"class":60},"]\n",[51,424,426,429,431,434],{"class":53,"line":425},5,[51,427,428],{"class":57},"    write",[51,430,415],{"class":60},[51,432,433],{"class":418},"\"~\u002F.cache\u002Fsharp\"",[51,435,422],{"class":60},[51,437,439,442,444],{"class":53,"line":438},6,[51,440,441],{"class":57},"    network",[51,443,61],{"class":60},[51,445,65],{"class":64},[14,447,448,449,451,452,454],{},"Default: ",[34,450,226],{}," today, planned to flip to ",[34,453,230],{}," in the next major.",[14,456,457,458,27],{},"Full reference: ",[21,459,461],{"href":460},"\u002Fdocs\u002Fpackage-manager\u002Fjailed-builds","Jailed builds",[29,463,465],{"id":464},"trust-policy","Trust policy",[14,467,468,470],{},[34,469,88],{}," blocks installs of a version that carries weaker\ntrust evidence than any earlier-published version of the same package. scpm\nonly counts the structured metadata shape npm emits after registry-side checks:",[472,473,474,484,494],"ol",{},[73,475,476,479,480,483],{},[320,477,478],{},"npm staged publish approval"," — package metadata carries an ",[34,481,482],{},"approver","\nfield from the registry-side approval flow.",[73,485,486,489,490,493],{},[320,487,488],{},"npm trusted-publisher"," — package was published via OIDC from a trusted\nCI provider (",[34,491,492],{},"_npmUser.trustedPublisher.id",").",[73,495,496,499,500,503,504,507],{},[320,497,498],{},"Sigstore provenance"," — package was published with ",[34,501,502],{},"npm publish --provenance"," (",[34,505,506],{},"dist.attestations.provenance.predicateType"," with an SLSA\nprovenance URI).",[14,509,510],{},"This install-time policy validates the registry metadata shape; it does not\ncryptographically verify the attached attestation bundle.",[14,512,513],{},"A trust downgrade may indicate a supply-chain incident: publisher account\ntakeover, repository tampering, or a malicious co-maintainer publishing\nwithout the original CI flow.",[42,515,517],{"className":44,"code":516,"language":46,"meta":47,"style":47},"trustPolicy: no-downgrade\n",[34,518,519],{"__ignoreMap":47},[51,520,521,524,526],{"class":53,"line":54},[51,522,523],{"class":57},"trustPolicy",[51,525,61],{"class":60},[51,527,528],{"class":418},"no-downgrade\n",[14,530,531],{},"Exempt specific packages or versions when needed (only exact versions, no\nranges):",[42,533,535],{"className":44,"code":534,"language":46,"meta":47,"style":47},"trustPolicyExclude:\n  - \"@vendor\u002Flegacy-pkg\"            # all versions\n  - \"old-thing@1.0.0\"                # one version\n  - \"things@1.0.0 || 1.0.1\"          # version union\n  - \"is-*\"                           # name glob (no version)\n",[34,536,537,544,555,565,575],{"__ignoreMap":47},[51,538,539,542],{"class":53,"line":54},[51,540,541],{"class":57},"trustPolicyExclude",[51,543,169],{"class":60},[51,545,546,549,552],{"class":53,"line":163},[51,547,548],{"class":60},"  - ",[51,550,551],{"class":418},"\"@vendor\u002Flegacy-pkg\"",[51,553,554],{"class":159},"            # all versions\n",[51,556,557,559,562],{"class":53,"line":172},[51,558,548],{"class":60},[51,560,561],{"class":418},"\"old-thing@1.0.0\"",[51,563,564],{"class":159},"                # one version\n",[51,566,567,569,572],{"class":53,"line":182},[51,568,548],{"class":60},[51,570,571],{"class":418},"\"things@1.0.0 || 1.0.1\"",[51,573,574],{"class":159},"          # version union\n",[51,576,577,579,582],{"class":53,"line":425},[51,578,548],{"class":60},[51,580,581],{"class":418},"\"is-*\"",[51,583,584],{"class":159},"                           # name glob (no version)\n",[14,586,448,587,590,591,594,595,597],{},[34,588,589],{},"no-downgrade",". Set ",[34,592,593],{},"trustPolicy: off"," to disable, or use\n",[34,596,541],{}," for per-package opt-outs.",[14,599,209,600,605,606,605,611,27],{},[21,601,603],{"href":602},"\u002Fdocs\u002Fsettings\u002F#setting-trustpolicy",[34,604,523],{},",\n",[21,607,609],{"href":608},"\u002Fdocs\u002Fsettings\u002F#setting-trustpolicyexclude",[34,610,541],{},[21,612,614],{"href":613},"\u002Fdocs\u002Fsettings\u002F#setting-trustpolicyignoreafter",[34,615,616],{},"trustPolicyIgnoreAfter",[29,618,620],{"id":619},"minimum-release-age","Minimum release age",[14,622,623],{},"Wait a configurable period before installing newly published versions. Catches\ntypo-squat and dependency-confusion attacks that get unpublished within hours.",[42,625,627],{"className":44,"code":626,"language":46,"meta":47,"style":47},"minimumReleaseAge: 4320  # 3 days\n",[34,628,629],{"__ignoreMap":47},[51,630,631,634,636,639],{"class":53,"line":54},[51,632,633],{"class":57},"minimumReleaseAge",[51,635,61],{"class":60},[51,637,638],{"class":64},"4320",[51,640,641],{"class":159},"  # 3 days\n",[14,643,644,647],{},[34,645,646],{},"minimumReleaseAgeStrict: true"," fails the install when no version satisfies\nthe range; otherwise the resolver falls back to the lowest satisfying version\nignoring the cutoff for that pick only.",[14,649,448,650,653,654,657],{},[34,651,652],{},"1440"," (24 hours). Set ",[34,655,656],{},"minimumReleaseAge: 0"," to disable.",[14,659,209,660,605,665,605,671,27],{},[21,661,663],{"href":662},"\u002Fdocs\u002Fsettings\u002F#setting-minimumreleaseage",[34,664,633],{},[21,666,668],{"href":667},"\u002Fdocs\u002Fsettings\u002F#setting-minimumreleaseageexclude",[34,669,670],{},"minimumReleaseAgeExclude",[21,672,674],{"href":673},"\u002Fdocs\u002Fsettings\u002F#setting-minimumreleaseagestrict",[34,675,676],{},"minimumReleaseAgeStrict",[29,678,680],{"id":679},"typosquat-and-impersonation-protection","Typosquat and impersonation protection",[14,682,683,685,686,690,691,696,697,700,701,704,705,709],{},[34,684,127],{}," checks every package you name on the command line ",[687,688,689],"em",{},"and"," the\nfull post-resolve transitive closure against ",[21,692,695],{"href":693,"rel":694},"https:\u002F\u002Fosv.dev",[25],"OSV"," for\n",[34,698,699],{},"MAL-*"," malicious-package advisories — same check ",[34,702,703],{},"scpm update"," and any\nother install path runs where the resolver picks a version that wasn't\nalready pinned by the lockfile. Plain reinstalls (the lockfile was\nauthoritative) skip the live API for latency; an opt-in local mirror\n(see ",[21,706,708],{"href":707},"#install-time-osv-check","Install-time OSV check"," below) covers\nthat path.",[14,711,712],{},"Two signals, with different response levels:",[14,714,715,718,719,696,722,724,725,728,729,732,733,736,737,740],{},[320,716,717],{},"Known-malicious advisories."," scpm batch-queries ",[21,720,695],{"href":693,"rel":721},[25],[34,723,699],{}," advisories on every name about to be added. A hit fails the install\nwith ",[34,726,727],{},"ERR_SCPM_MALICIOUS_PACKAGE"," and a link to the advisory. If\nthe OSV API can't be reached, the default (",[34,730,731],{},"advisoryCheck: on",") warns and\ncontinues; ",[34,734,735],{},"advisoryCheck: required"," upgrades that to a fail-closed\n",[34,738,739],{},"ERR_SCPM_ADVISORY_CHECK_FAILED"," so CI can tell a network outage from a\nconfirmed-malicious advisory.",[14,742,743,746],{},[320,744,745],{},"Low download count."," A typosquat or impersonation has approximately zero\ninstalls on day one regardless of how cleverly it's named, so a\ndownload-count floor catches the long tail of squats that haven't been\nreported yet. Below the threshold, scpm prompts for confirmation:",[42,748,753],{"className":749,"code":751,"language":752},[750],"language-text","scpm add supabase-javascript\n\n  ⚠ supabase-javascript looks suspicious:\n    • 3 downloads last week (threshold: 1000)\n  Continue adding supabase-javascript? [y\u002FN]\n","text",[34,754,751],{"__ignoreMap":47},[14,756,757,758,761,762,765],{},"In non-interactive contexts the prompt becomes a hard refusal with\n",[34,759,760],{},"ERR_SCPM_LOW_DOWNLOAD_PACKAGE"," unless ",[34,763,764],{},"--allow-low-downloads"," is passed.",[14,767,768,771,772,775,776,779,780,783],{},[320,769,770],{},"Private packages skip both gates automatically."," Any package routed\nthrough a non-",[34,773,774],{},"registry.npmjs.org"," registry — whether by a scoped\noverride (",[34,777,778],{},"@myorg:registry=https:\u002F\u002Fnpm.internal.example\u002F",") or by\nreplacing the default ",[34,781,782],{},"registry="," URL outright — is exempted from\nthe OSV check and the downloads gate, because npmjs has no signal on\nit. Workspace deps and git\u002Flocal specs are also skipped.",[14,785,786,787,790,791,794],{},"For names that ",[687,788,789],{},"do"," route through public npmjs but are known-internal\n(e.g. you publish a low-traffic helper under your own brand), list\nthem in ",[34,792,793],{},"allowedUnpopularPackages"," to skip the downloads gate alone:",[42,796,798],{"className":44,"code":797,"language":46,"meta":47,"style":47},"advisoryCheck: on            # default; fail open on network error\nlowDownloadThreshold: 1000   # weekly downloads, 0 disables\nallowedUnpopularPackages:    # glob patterns; OSV check still runs\n  - \"@mycompany\u002F*\"\n  - \"internal-*\"\n",[34,799,800,813,826,836,843],{"__ignoreMap":47},[51,801,802,805,807,810],{"class":53,"line":54},[51,803,804],{"class":57},"advisoryCheck",[51,806,61],{"class":60},[51,808,809],{"class":64},"on",[51,811,812],{"class":159},"            # default; fail open on network error\n",[51,814,815,818,820,823],{"class":53,"line":163},[51,816,817],{"class":57},"lowDownloadThreshold",[51,819,61],{"class":60},[51,821,822],{"class":64},"1000",[51,824,825],{"class":159},"   # weekly downloads, 0 disables\n",[51,827,828,830,833],{"class":53,"line":172},[51,829,793],{"class":57},[51,831,832],{"class":60},":    ",[51,834,835],{"class":159},"# glob patterns; OSV check still runs\n",[51,837,838,840],{"class":53,"line":182},[51,839,548],{"class":60},[51,841,842],{"class":418},"\"@mycompany\u002F*\"\n",[51,844,845,847],{"class":53,"line":425},[51,846,548],{"class":60},[51,848,849],{"class":418},"\"internal-*\"\n",[14,851,852,853,855,856,859,860,863,864,867],{},"Set ",[34,854,735],{}," to fail closed when OSV can't be reached —\nappropriate for hardened CI, included in ",[34,857,858],{},"paranoid: true",". Set\n",[34,861,862],{},"advisoryCheck: off"," or ",[34,865,866],{},"lowDownloadThreshold: 0"," to disable either check\nindependently.",[14,869,209,870,605,875,605,880,27],{},[21,871,873],{"href":872},"\u002Fdocs\u002Fsettings\u002F#setting-advisorycheck",[34,874,804],{},[21,876,878],{"href":877},"\u002Fdocs\u002Fsettings\u002F#setting-lowdownloadthreshold",[34,879,817],{},[21,881,883],{"href":882},"\u002Fdocs\u002Fsettings\u002F#setting-allowedunpopularpackages",[34,884,793],{},[29,886,708],{"id":887},"install-time-osv-check",[14,889,890,891,893],{},"OSV ",[34,892,699],{}," checks are routed three ways post-resolve so the freshest\nsignal lands when it matters most without paying for a per-install\nnetwork round-trip when it doesn't:",[895,896,897,913],"table",{},[898,899,900],"thead",{},[901,902,903,907,910],"tr",{},[904,905,906],"th",{},"Install path",[904,908,909],{},"Backend",[904,911,912],{},"Setting",[914,915,916,935,948,963,978],"tbody",{},[901,917,918,925,928],{},[919,920,921,142,923],"td",{},[34,922,127],{},[34,924,703],{},[919,926,927],{},"Live API",[919,929,930,932,933,93],{},[34,931,804],{}," (default ",[34,934,809],{},[901,936,937,940,942],{},[919,938,939],{},"Missing lockfile \u002F resolver picked new version",[919,941,927],{},[919,943,944,932,946,93],{},[34,945,804],{},[34,947,809],{},[901,949,950,955,957],{},[919,951,952],{},[34,953,954],{},"advisoryCheckEveryInstall = true",[919,956,927],{},[919,958,959,932,961,93],{},[34,960,804],{},[34,962,809],{},[901,964,965,968,971],{},[919,966,967],{},"Plain reinstall (lockfile authoritative)",[919,969,970],{},"Local mirror",[919,972,973,932,976,93],{},[34,974,975],{},"advisoryCheckOnInstall",[34,977,92],{},[901,979,980,983,986],{},[919,981,982],{},"Anything else",[919,984,985],{},"No check",[919,987,988],{},"—",[14,990,991,992,995,996,999,1000,1002],{},"The mirror lives at ",[34,993,994],{},"$XDG_CACHE_HOME\u002Fscpm\u002Fosv\u002Fnpm\u002F"," (the bulk zip from\n",[34,997,998],{},"osv-vulnerabilities.storage.googleapis.com\u002Fnpm\u002Fall.zip",", roughly tens\nof MB) and lazily refreshes with an ETag-conditional GET every 24\nhours. Hits map to the same ",[34,1001,727],{}," exit as the\nlive-API gate.",[14,1004,1005],{},"Trade-off: the mirror lags reality by up to ~24h. An advisory published\nin the last day won't be in your local index unless a refresh happens to\nfall after it. Fresh-resolution installs always go through the live API\nso that lag doesn't matter for new picks; plain reinstalls trade\nsub-day staleness for sub-millisecond lookups.",[42,1007,1009],{"className":44,"code":1008,"language":46,"meta":47,"style":47},"# Default: live API on scpm add \u002F update \u002F fresh-resolution. Mirror\n# disabled — plain reinstalls skip OSV entirely.\nadvisoryCheck: on\nadvisoryCheckOnInstall: off\nadvisoryCheckEveryInstall: false\n",[34,1010,1011,1016,1021,1030,1039],{"__ignoreMap":47},[51,1012,1013],{"class":53,"line":54},[51,1014,1015],{"class":159},"# Default: live API on scpm add \u002F update \u002F fresh-resolution. Mirror\n",[51,1017,1018],{"class":53,"line":163},[51,1019,1020],{"class":159},"# disabled — plain reinstalls skip OSV entirely.\n",[51,1022,1023,1025,1027],{"class":53,"line":172},[51,1024,804],{"class":57},[51,1026,61],{"class":60},[51,1028,1029],{"class":64},"on\n",[51,1031,1032,1034,1036],{"class":53,"line":182},[51,1033,975],{"class":57},[51,1035,61],{"class":60},[51,1037,1038],{"class":64},"off\n",[51,1040,1041,1044,1046],{"class":53,"line":425},[51,1042,1043],{"class":57},"advisoryCheckEveryInstall",[51,1045,61],{"class":60},[51,1047,1048],{"class":64},"false\n",[42,1050,1052],{"className":44,"code":1051,"language":46,"meta":47,"style":47},"# Hardened CI: live API on every install, fail-closed on fetch errors.\nadvisoryCheck: required\nadvisoryCheckEveryInstall: true\n",[34,1053,1054,1059,1068],{"__ignoreMap":47},[51,1055,1056],{"class":53,"line":54},[51,1057,1058],{"class":159},"# Hardened CI: live API on every install, fail-closed on fetch errors.\n",[51,1060,1061,1063,1065],{"class":53,"line":163},[51,1062,804],{"class":57},[51,1064,61],{"class":60},[51,1066,1067],{"class":418},"required\n",[51,1069,1070,1072,1074],{"class":53,"line":172},[51,1071,1043],{"class":57},[51,1073,61],{"class":60},[51,1075,65],{"class":64},[42,1077,1079],{"className":44,"code":1078,"language":46,"meta":47,"style":47},"# Cheap fallback: live API on fresh-resolution, local mirror covers\n# plain reinstalls so even CI re-runs see SOME OSV coverage.\nadvisoryCheck: on\nadvisoryCheckOnInstall: on\n",[34,1080,1081,1086,1091,1099],{"__ignoreMap":47},[51,1082,1083],{"class":53,"line":54},[51,1084,1085],{"class":159},"# Cheap fallback: live API on fresh-resolution, local mirror covers\n",[51,1087,1088],{"class":53,"line":163},[51,1089,1090],{"class":159},"# plain reinstalls so even CI re-runs see SOME OSV coverage.\n",[51,1092,1093,1095,1097],{"class":53,"line":172},[51,1094,804],{"class":57},[51,1096,61],{"class":60},[51,1098,1029],{"class":64},[51,1100,1101,1103,1105],{"class":53,"line":182},[51,1102,975],{"class":57},[51,1104,61],{"class":60},[51,1106,1029],{"class":64},[14,1108,1109],{},"Refresh-failure semantics for the mirror:",[70,1111,1112,1121],{},[73,1113,1114,61,1117,1120],{},[34,1115,1116],{},"advisoryCheckOnInstall = on",[34,1118,1119],{},"WARN_SCPM_OSV_MIRROR_REFRESH_FAILED",",\ninstall continues against the prior on-disk index (or empty on first\nsync).",[73,1122,1123,1126,1127,1129],{},[34,1124,1125],{},"advisoryCheckOnInstall = required",": mirror refresh failures map to\n",[34,1128,739],{},". Use when a stale or unreachable\nmirror should block.",[14,1131,1132,1133,605,1137,605,1142,27],{},"Settings:\n",[21,1134,1135],{"href":872},[34,1136,804],{},[21,1138,1140],{"href":1139},"\u002Fdocs\u002Fsettings\u002F#setting-advisorycheckoninstall",[34,1141,975],{},[21,1143,1145],{"href":1144},"\u002Fdocs\u002Fsettings\u002F#setting-advisorycheckeveryinstall",[34,1146,1043],{},[29,1148,1150],{"id":1149},"block-exotic-transitive-dependencies","Block exotic transitive dependencies",[14,1152,1153,1154,142,1157,1160,1161,1164],{},"Reject transitive dependencies that resolve to ",[34,1155,1156],{},"git+",[34,1158,1159],{},"file:",", or direct\ntarball URLs — those skip the registry and its integrity verification. Direct\ndeps you pin yourself in ",[34,1162,1163],{},"package.json"," are still allowed.",[42,1166,1168],{"className":44,"code":1167,"language":46,"meta":47,"style":47},"blockExoticSubdeps: true   # default\n",[34,1169,1170],{"__ignoreMap":47},[51,1171,1172,1175,1177,1179],{"class":53,"line":54},[51,1173,1174],{"class":57},"blockExoticSubdeps",[51,1176,61],{"class":60},[51,1178,230],{"class":64},[51,1180,1181],{"class":159},"   # default\n",[14,1183,209,1184,27],{},[21,1185,1187],{"href":1186},"\u002Fdocs\u002Fsettings\u002F#setting-blockexoticsubdeps",[34,1188,1174],{},[29,1190,1192],{"id":1191},"tarball-integrity","Tarball integrity",[14,1194,1195,1196,1198],{},"Every registry tarball is verified against the SHA-512 hash recorded in the\npackument's ",[34,1197,108],{}," field before it is added to the store. Mismatches\nfail the install. The hash is preserved in the lockfile, so subsequent\ninstalls reverify on every fetch.",[14,1200,1201,1202,1205],{},"The content-addressable store itself uses BLAKE3 for the on-disk index — fast\nto compute and immune to length-extension. Linked ",[34,1203,1204],{},"node_modules"," files are\nreflinks (APFS\u002Fbtrfs), hardlinks (ext4), or copies; none of those paths can\nmodify the canonical store entry.",[29,1207,1209],{"id":1208},"auth-tokens","Auth tokens",[14,1211,1212,1213,1216,1217,142,1220,1223,1224,1227,1228,1231,1232,1235],{},"Registry tokens are read from ",[34,1214,1215],{},".npmrc"," (the npm convention) or environment\nvariables (",[34,1218,1219],{},"NPM_TOKEN",[34,1221,1222],{},"SCPM_AUTH_TOKEN",", etc.) and ",[320,1225,1226],{},"never written to the\nlockfile, tarball cache, or logs",". ",[34,1229,1230],{},"scpm login"," and ",[34,1233,1234],{},"scpm logout"," manage\ntokens via the standard npm config file.",[14,1237,1238,1239,605,1241,142,1244,142,1247,142,1250,1253,1254,27],{},"Inside jailed lifecycle scripts, common token env vars (",[34,1240,1219],{},[34,1242,1243],{},"NODE_AUTH_TOKEN",[34,1245,1246],{},"GITHUB_TOKEN",[34,1248,1249],{},"SSH_AUTH_SOCK",[34,1251,1252],{},"AWS_*",", etc.) are\nscrubbed from the script environment unless explicitly granted via\n",[34,1255,399],{},[29,1257,1259],{"id":1258},"pluggable-security-scanner","Pluggable security scanner",[14,1261,1262,1265,1266,1271,1272,1275,1276,1279,1280,1285,1286,1293],{},[34,1263,1264],{},"securityScanner"," runs a ",[21,1267,1270],{"href":1268,"rel":1269},"https:\u002F\u002Fbun.sh\u002Fdocs\u002Fpm\u002Fsecurity-scanner-api",[25],"Bun-compatible security scanner","\nagainst the resolved install graph. Point the setting at the same\nnpm package you'd put in Bun's ",[34,1273,1274],{},"bunfig.toml#install.security.scanner","\nand scpm loads it through a ",[34,1277,1278],{},"node"," bridge — the\n",[21,1281,1284],{"href":1282,"rel":1283},"https:\u002F\u002Fgithub.com\u002Foven-sh\u002Fsecurity-scanner-template",[25],"oven-sh template","\nand ",[21,1287,1290],{"href":1288,"rel":1289},"https:\u002F\u002Fgithub.com\u002FSocketDev\u002Fbun-security-scanner",[25],[34,1291,1292],{},"@socketsecurity\u002Fbun-security-scanner","\nboth run unchanged.",[42,1295,1297],{"className":44,"code":1296,"language":46,"meta":47,"style":47},"# scpm-workspace.yaml\nsecurityScanner: \"@acme\u002Fbun-security-scanner\"\n",[34,1298,1299,1303],{"__ignoreMap":47},[51,1300,1301],{"class":53,"line":54},[51,1302,160],{"class":159},[51,1304,1305,1307,1309],{"class":53,"line":163},[51,1306,1264],{"class":57},[51,1308,61],{"class":60},[51,1310,1311],{"class":418},"\"@acme\u002Fbun-security-scanner\"\n",[14,1313,1314,1315,1318,1319,1321,1322,1325],{},"The scanner fires post-resolve, sees the full transitive graph\nwith resolved versions, and ",[320,1316,1317],{},"fails closed"," on any scanner\nfailure (missing ",[34,1320,1278],{},", unresolvable module, timeout, etc.).\nRequires Node 22.6+. Set ",[34,1323,1324],{},"securityScanner: \"\""," to disable when\nbootstrapping.",[14,1327,457,1328,27],{},[21,1329,1331],{"href":1330},"\u002Fdocs\u002Fpackage-manager\u002Fsecurity-scanner","Security scanner",[29,1333,1335],{"id":1334},"auditing-installed-dependencies","Auditing installed dependencies",[42,1337,1339],{"className":195,"code":1338,"language":197,"meta":47,"style":47},"scpm audit                # list known CVEs at moderate+ severity\nscpm audit --audit-level high\nscpm audit --fix          # write package.json overrides to patched versions\nscpm audit --json | jq    # machine-readable for CI\n",[34,1340,1341,1346,1351,1356],{"__ignoreMap":47},[51,1342,1343],{"class":53,"line":54},[51,1344,1345],{},"scpm audit                # list known CVEs at moderate+ severity\n",[51,1347,1348],{"class":53,"line":163},[51,1349,1350],{},"scpm audit --audit-level high\n",[51,1352,1353],{"class":53,"line":172},[51,1354,1355],{},"scpm audit --fix          # write package.json overrides to patched versions\n",[51,1357,1358],{"class":53,"line":182},[51,1359,1360],{},"scpm audit --json | jq    # machine-readable for CI\n",[14,1362,1363,1364,1231,1367,1370],{},"Same advisory data source as ",[34,1365,1366],{},"npm audit",[34,1368,1369],{},"pnpm audit","; same response\nschema.",[29,1372,1374],{"id":1373},"recommended-baseline","Recommended baseline",[14,1376,1377],{},"For most projects, the following is a good starting point:",[42,1379,1381],{"className":44,"code":1380,"language":46,"meta":47,"style":47},"# scpm-workspace.yaml\nparanoid: true             # bundles jailBuilds, no-downgrade, strict gates\nallowBuilds:\n  esbuild: true\n  sharp: true\n  # ...whatever your project actually needs to build\n",[34,1382,1383,1387,1398,1404,1412,1420],{"__ignoreMap":47},[51,1384,1385],{"class":53,"line":54},[51,1386,160],{"class":159},[51,1388,1389,1391,1393,1395],{"class":53,"line":163},[51,1390,36],{"class":57},[51,1392,61],{"class":60},[51,1394,230],{"class":64},[51,1396,1397],{"class":159},"             # bundles jailBuilds, no-downgrade, strict gates\n",[51,1399,1400,1402],{"class":53,"line":172},[51,1401,166],{"class":57},[51,1403,169],{"class":60},[51,1405,1406,1408,1410],{"class":53,"line":182},[51,1407,175],{"class":57},[51,1409,61],{"class":60},[51,1411,65],{"class":64},[51,1413,1414,1416,1418],{"class":53,"line":425},[51,1415,185],{"class":57},[51,1417,61],{"class":60},[51,1419,65],{"class":64},[51,1421,1422],{"class":53,"line":438},[51,1423,1424],{"class":159},"  # ...whatever your project actually needs to build\n",[14,1426,1427,1231,1430,1433,1434,1436,1437,1440],{},[34,1428,1429],{},"trustPolicy=no-downgrade",[34,1431,1432],{},"minimumReleaseAge: 1440"," (24h) are already\ndefault-on; ",[34,1435,858],{}," adds the rest of the bundle on top. Pair this\nwith ",[34,1438,1439],{},"scpm audit"," in CI so a newly disclosed CVE fails the build instead of\nsilently shipping.",[1442,1443,1444],"style",{},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .s9eBZ, html code.shiki .s9eBZ{--shiki-default:#22863A;--shiki-dark:#85E89D}html pre.shiki code .sVt8B, html code.shiki .sVt8B{--shiki-default:#24292E;--shiki-dark:#E1E4E8}html pre.shiki code .sj4cs, html code.shiki .sj4cs{--shiki-default:#005CC5;--shiki-dark:#79B8FF}html pre.shiki code .sJ8bj, html code.shiki .sJ8bj{--shiki-default:#6A737D;--shiki-dark:#6A737D}html pre.shiki code .sZZnC, html code.shiki .sZZnC{--shiki-default:#032F62;--shiki-dark:#9ECBFF}",{"title":47,"searchDepth":163,"depth":163,"links":1446},[1447,1449,1452,1453,1454,1455,1456,1457,1458,1459,1460,1461,1462],{"id":31,"depth":163,"text":1448},"The paranoid switch",{"id":134,"depth":163,"text":135,"children":1450},[1451],{"id":234,"depth":172,"text":235},{"id":356,"depth":163,"text":357},{"id":464,"depth":163,"text":465},{"id":619,"depth":163,"text":620},{"id":679,"depth":163,"text":680},{"id":887,"depth":163,"text":708},{"id":1149,"depth":163,"text":1150},{"id":1191,"depth":163,"text":1192},{"id":1208,"depth":163,"text":1209},{"id":1258,"depth":163,"text":1259},{"id":1334,"depth":163,"text":1335},{"id":1373,"depth":163,"text":1374},"md",{},true,"\u002Fdocs\u002Fsecurity",{"title":5,"description":16},"docs\u002Fsecurity","B8U7XR_Nxv252tRcFWSDxze6cN-Zj1n2rWciAKP7NwY",[1471,1474,1477,1479,1481,1483,1486,1489,1492,1495,1498,1501,1504,1507,1510,1513,1516,1519,1522,1525,1528,1531,1534,1537,1540,1543,1546,1549,1552,1555,1558,1561,1564,1567,1570,1573,1576,1579,1582,1585,1588,1591,1594,1597,1599,1602,1605,1608,1611,1614,1617,1620,1622,1624,1627,1630,1633,1636,1639,1642,1645,1648,1651,1654,1657,1660,1663,1666,1669,1672,1675,1678,1681,1684,1687,1690,1693,1696,1699,1702,1705,1708,1711,1714,1717,1719,1722,1725,1728,1731,1734,1737,1740,1743,1746,1749,1752,1755,1758,1760,1763,1766,1769,1772,1775,1778,1779,1782,1785,1786,1789,1792,1795,1798,1801,1804],{"path":1472,"title":1473},"\u002Fdocs\u002Fbenchmarks","Benchmarks",{"path":1475,"title":1476},"\u002Fdocs\u002Fbun-users","For bun users",{"path":1478,"title":127},"\u002Fdocs\u002Fcli\u002Fadd",{"path":1480,"title":241},"\u002Fdocs\u002Fcli\u002Fapprove-builds",{"path":1482,"title":1439},"\u002Fdocs\u002Fcli\u002Faudit",{"path":1484,"title":1485},"\u002Fdocs\u002Fcli\u002Fbin","scpm bin",{"path":1487,"title":1488},"\u002Fdocs\u002Fcli\u002Fcache","scpm cache",{"path":1490,"title":1491},"\u002Fdocs\u002Fcli\u002Fcache\u002Fdelete","scpm cache delete",{"path":1493,"title":1494},"\u002Fdocs\u002Fcli\u002Fcache\u002Flist","scpm cache list",{"path":1496,"title":1497},"\u002Fdocs\u002Fcli\u002Fcache\u002Flist-registries","scpm cache list-registries",{"path":1499,"title":1500},"\u002Fdocs\u002Fcli\u002Fcache\u002Fprune","scpm cache prune",{"path":1502,"title":1503},"\u002Fdocs\u002Fcli\u002Fcache\u002Fview","scpm cache view",{"path":1505,"title":1506},"\u002Fdocs\u002Fcli\u002Fcat-file","scpm cat-file",{"path":1508,"title":1509},"\u002Fdocs\u002Fcli\u002Fcat-index","scpm cat-index",{"path":1511,"title":1512},"\u002Fdocs\u002Fcli\u002Fcheck","scpm check",{"path":1514,"title":1515},"\u002Fdocs\u002Fcli\u002Fci","scpm ci",{"path":1517,"title":1518},"\u002Fdocs\u002Fcli\u002Fclean","scpm clean",{"path":1520,"title":1521},"\u002Fdocs\u002Fcli\u002Fcompletion","scpm completion",{"path":1523,"title":1524},"\u002Fdocs\u002Fcli\u002Fconfig","scpm config",{"path":1526,"title":1527},"\u002Fdocs\u002Fcli\u002Fconfig\u002Fdelete","scpm config delete",{"path":1529,"title":1530},"\u002Fdocs\u002Fcli\u002Fconfig\u002Fexplain","scpm config explain",{"path":1532,"title":1533},"\u002Fdocs\u002Fcli\u002Fconfig\u002Ffind","scpm config find",{"path":1535,"title":1536},"\u002Fdocs\u002Fcli\u002Fconfig\u002Fget","scpm config get",{"path":1538,"title":1539},"\u002Fdocs\u002Fcli\u002Fconfig\u002Flist","scpm config list",{"path":1541,"title":1542},"\u002Fdocs\u002Fcli\u002Fconfig\u002Fset","scpm config set",{"path":1544,"title":1545},"\u002Fdocs\u002Fcli\u002Fconfig\u002Ftui","scpm config tui",{"path":1547,"title":1548},"\u002Fdocs\u002Fcli\u002Fcreate","scpm create",{"path":1550,"title":1551},"\u002Fdocs\u002Fcli\u002Fdedupe","scpm dedupe",{"path":1553,"title":1554},"\u002Fdocs\u002Fcli\u002Fdeploy","scpm deploy",{"path":1556,"title":1557},"\u002Fdocs\u002Fcli\u002Fdeprecate","scpm deprecate",{"path":1559,"title":1560},"\u002Fdocs\u002Fcli\u002Fdeprecations","scpm deprecations",{"path":1562,"title":1563},"\u002Fdocs\u002Fcli\u002Fdiag","scpm diag",{"path":1565,"title":1566},"\u002Fdocs\u002Fcli\u002Fdiag\u002Fanalyze","scpm diag analyze",{"path":1568,"title":1569},"\u002Fdocs\u002Fcli\u002Fdiag\u002Fcompare","scpm diag compare",{"path":1571,"title":1572},"\u002Fdocs\u002Fcli\u002Fdist-tag","scpm dist-tag",{"path":1574,"title":1575},"\u002Fdocs\u002Fcli\u002Fdist-tag\u002Fadd","scpm dist-tag add",{"path":1577,"title":1578},"\u002Fdocs\u002Fcli\u002Fdist-tag\u002Fls","scpm dist-tag ls",{"path":1580,"title":1581},"\u002Fdocs\u002Fcli\u002Fdist-tag\u002Frm","scpm dist-tag rm",{"path":1583,"title":1584},"\u002Fdocs\u002Fcli\u002Fdlx","scpm dlx",{"path":1586,"title":1587},"\u002Fdocs\u002Fcli\u002Fdoctor","scpm doctor",{"path":1589,"title":1590},"\u002Fdocs\u002Fcli\u002Fexec","scpm exec",{"path":1592,"title":1593},"\u002Fdocs\u002Fcli\u002Ffetch","scpm fetch",{"path":1595,"title":1596},"\u002Fdocs\u002Fcli\u002Ffind-hash","scpm find-hash",{"path":1598,"title":336},"\u002Fdocs\u002Fcli\u002Fignored-builds",{"path":1600,"title":1601},"\u002Fdocs\u002Fcli\u002Fimport","scpm import",{"path":1603,"title":1604},"\u002Fdocs\u002Fcli","scpm",{"path":1606,"title":1607},"\u002Fdocs\u002Fcli\u002Finit","scpm init",{"path":1609,"title":1610},"\u002Fdocs\u002Fcli\u002Finstall","scpm install",{"path":1612,"title":1613},"\u002Fdocs\u002Fcli\u002Flicenses","scpm licenses",{"path":1615,"title":1616},"\u002Fdocs\u002Fcli\u002Flink","scpm link",{"path":1618,"title":1619},"\u002Fdocs\u002Fcli\u002Flist","scpm list",{"path":1621,"title":1230},"\u002Fdocs\u002Fcli\u002Flogin",{"path":1623,"title":1234},"\u002Fdocs\u002Fcli\u002Flogout",{"path":1625,"title":1626},"\u002Fdocs\u002Fcli\u002Foutdated","scpm outdated",{"path":1628,"title":1629},"\u002Fdocs\u002Fcli\u002Fpack","scpm pack",{"path":1631,"title":1632},"\u002Fdocs\u002Fcli\u002Fpatch","scpm patch",{"path":1634,"title":1635},"\u002Fdocs\u002Fcli\u002Fpatch-commit","scpm patch-commit",{"path":1637,"title":1638},"\u002Fdocs\u002Fcli\u002Fpatch-remove","scpm patch-remove",{"path":1640,"title":1641},"\u002Fdocs\u002Fcli\u002Fpeers","scpm peers",{"path":1643,"title":1644},"\u002Fdocs\u002Fcli\u002Fpeers\u002Fcheck","scpm peers check",{"path":1646,"title":1647},"\u002Fdocs\u002Fcli\u002Fprune","scpm prune",{"path":1649,"title":1650},"\u002Fdocs\u002Fcli\u002Fpublish","scpm publish",{"path":1652,"title":1653},"\u002Fdocs\u002Fcli\u002Fpurge","scpm purge",{"path":1655,"title":1656},"\u002Fdocs\u002Fcli\u002Fquery","scpm query",{"path":1658,"title":1659},"\u002Fdocs\u002Fcli\u002Frebuild","scpm rebuild",{"path":1661,"title":1662},"\u002Fdocs\u002Fcli\u002Frecursive","scpm recursive",{"path":1664,"title":1665},"\u002Fdocs\u002Fcli\u002Fremove","scpm remove",{"path":1667,"title":1668},"\u002Fdocs\u002Fcli\u002Frestart","scpm restart",{"path":1670,"title":1671},"\u002Fdocs\u002Fcli\u002Froot","scpm root",{"path":1673,"title":1674},"\u002Fdocs\u002Fcli\u002Frun","scpm run",{"path":1676,"title":1677},"\u002Fdocs\u002Fcli\u002Fsbom","scpm sbom",{"path":1679,"title":1680},"\u002Fdocs\u002Fcli\u002Fsponsors","scpm sponsors",{"path":1682,"title":1683},"\u002Fdocs\u002Fcli\u002Fstage","scpm stage",{"path":1685,"title":1686},"\u002Fdocs\u002Fcli\u002Fstart","scpm start",{"path":1688,"title":1689},"\u002Fdocs\u002Fcli\u002Fstop","scpm stop",{"path":1691,"title":1692},"\u002Fdocs\u002Fcli\u002Fstore","scpm store",{"path":1694,"title":1695},"\u002Fdocs\u002Fcli\u002Fstore\u002Fadd","scpm store add",{"path":1697,"title":1698},"\u002Fdocs\u002Fcli\u002Fstore\u002Fpath","scpm store path",{"path":1700,"title":1701},"\u002Fdocs\u002Fcli\u002Fstore\u002Fprune","scpm store prune",{"path":1703,"title":1704},"\u002Fdocs\u002Fcli\u002Fstore\u002Fstatus","scpm store status",{"path":1706,"title":1707},"\u002Fdocs\u002Fcli\u002Ftest","scpm test",{"path":1709,"title":1710},"\u002Fdocs\u002Fcli\u002Fundeprecate","scpm undeprecate",{"path":1712,"title":1713},"\u002Fdocs\u002Fcli\u002Funlink","scpm unlink",{"path":1715,"title":1716},"\u002Fdocs\u002Fcli\u002Funpublish","scpm unpublish",{"path":1718,"title":703},"\u002Fdocs\u002Fcli\u002Fupdate",{"path":1720,"title":1721},"\u002Fdocs\u002Fcli\u002Fversion","scpm version",{"path":1723,"title":1724},"\u002Fdocs\u002Fcli\u002Fview","scpm view",{"path":1726,"title":1727},"\u002Fdocs\u002Fcli\u002Fwhy","scpm why",{"path":1729,"title":1730},"\u002Fdocs\u002Ferror-codes","Error and warning codes",{"path":1732,"title":1733},"\u002Fdocs\u002Fgetting-started","Getting Started",{"path":1735,"title":1736},"\u002Fdocs\u002Fguide","Guide",{"path":1738,"title":1739},"\u002Fdocs","SCPM Documentation",{"path":1741,"title":1742},"\u002Fdocs\u002Finstallation","Installation",{"path":1744,"title":1745},"\u002Fdocs\u002Fnpm-users","For npm users",{"path":1747,"title":1748},"\u002Fdocs\u002Fpackage-manager\u002Fconfiguration","Configuration",{"path":1750,"title":1751},"\u002Fdocs\u002Fpackage-manager\u002Fdependencies","Manage dependencies",{"path":1753,"title":1754},"\u002Fdocs\u002Fpackage-manager\u002Fglobal-virtual-store","Global virtual store",{"path":1756,"title":1757},"\u002Fdocs\u002Fpackage-manager\u002Finstall","Install dependencies",{"path":460,"title":1759},"Jailed dependency builds",{"path":1761,"title":1762},"\u002Fdocs\u002Fpackage-manager\u002Flifecycle-scripts","Lifecycle scripts",{"path":1764,"title":1765},"\u002Fdocs\u002Fpackage-manager\u002Flockfiles","Lockfiles",{"path":1767,"title":1768},"\u002Fdocs\u002Fpackage-manager\u002Fnode-modules","node_modules layout",{"path":1770,"title":1771},"\u002Fdocs\u002Fpackage-manager\u002Fpublishing","Publishing",{"path":1773,"title":1774},"\u002Fdocs\u002Fpackage-manager\u002Fregistry-auth","Registry and auth",{"path":1776,"title":1777},"\u002Fdocs\u002Fpackage-manager\u002Fscripts","Run scripts and binaries",{"path":1330,"title":1331},{"path":1780,"title":1781},"\u002Fdocs\u002Fpackage-manager\u002Fworkspaces","Workspaces",{"path":1783,"title":1784},"\u002Fdocs\u002Fpnpm-users","For pnpm users",{"path":1466,"title":5},{"path":1787,"title":1788},"\u002Fdocs\u002Fsettings\u002Fcli","CLI Settings",{"path":1790,"title":1791},"\u002Fdocs\u002Fsettings\u002Fenv","Environment Settings",{"path":1793,"title":1794},"\u002Fdocs\u002Fsettings","Settings",{"path":1796,"title":1797},"\u002Fdocs\u002Fsettings\u002Fnpmrc",".npmrc Settings",{"path":1799,"title":1800},"\u002Fdocs\u002Fsettings\u002Fworkspace-yaml","Workspace YAML Settings",{"path":1802,"title":1803},"\u002Fdocs\u002Ftroubleshooting","Troubleshooting",{"path":1805,"title":1806},"\u002Fdocs\u002Fyarn-users","For yarn users",1780584396924]