What do you mean by safe config? If you're trying to mandate a cooldown period or a whitelist/blacklist of packages, the correct approach is to configure a company-controlled registry that pulls from the upstream npm registry while enforcing your desired policies.
replyJust dont use npm. Use a package manager which doesn't execute postinstall by default. The switch is incredibly simple.
replyWhich package manager is that, and what caveats does it offer?
replyPnpm - installs are faster to boot. We haven’t missed anything
replypnpm
reply