Install-time controls are CLI settings that restrict which package sources npm will accept during installation. Instead of letting a project fetch code from any supported location, these controls can limit installs to approved sources such as the registry and block inputs like git references, local paths, remote URLs, or file-based packages.
They matter because the install step is a common trust boundary in software supply chains. Attackers can abuse flexible dependency sources to slip in unreviewed code, poison builds, or exploit automation that accepts dependencies too broadly. By narrowing allowed sources, teams reduce accidental exposure and make malicious or unexpected package intake harder. In defense, these controls work best when paired with code review, locked dependencies, and clear build policies, since they limit where code can come from but do not validate whether the code itself is safe.



