I made supply-chain security a blocking step of npm install (opens in new tab)

The gap npm audit runs after the install. By then the package — and any postinstall script it shipped — is already on your machine. For supply-chain attacks, "after" is too late. So I built Vault: an npm-compatible, pnpm-style package manager (written in Rust) that makes the security check part of install itself. ## What it does before touching node_modules Blocks known CVEs. It audits the resolved graph (OSV + a static scan) and refuses to install critical/high vulnerabilities. --force exist...