Beta v0.2.3 · Linux & macOS

Install packages.
Not threats.

ringfence runs npm install, pnpm add, and friends inside a lightweight bwrap sandbox. Your SSH keys, cloud credentials, and .env files stay yours. No allowlists. No daemon. No config.

Get started Read the docs
Local dev dependency · Open source (MIT)
Live threat

The TanStack supply-chain worm

In May 2026, a worm compromised 84 npm packages with valid SLSA Build Level 3 provenance. Postinstall scripts exfiltrated CI/CD secrets, SSH keys, cloud credentials, and crypto wallets. It spread undetected because it looked legitimate.

ringfence stops this class of attack at the OS level. Postinstall scripts run in a sandbox where your secrets simply do not exist.

How it works

Three layers of protection

From shell shim to kernel sandbox, nothing changes in your workflow.

01

Global shims

The one-line installer puts lightweight shims on your PATH. No aliases, no wrappers to remember. When you run npm install, ringfence intercepts it automatically.

02

bwrap sandbox

The install runs inside a Bubblewrap container. Secrets in ~/.ssh, ~/.aws, and your environment variables are invisible to postinstall scripts.

03

Zero config

Non-install commands pass through unchanged. No allowlists, no policy files, no daemon. Just sandboxed package management that works out of the box.

Compatible

Works with every major package manager

Your existing commands. Same flags. Same output. Just sandboxed.

n npm 
$ npm install express
p pnpm 
$ pnpm add zod
y yarn 
$ yarn add react
b bun 
$ bun add @hono/hono
Install

Two commands. Any project.

Install as a dev dependency, then activate. Works with npm, pnpm, yarn, and bun.

terminal 
$ npm i -D ringfence
$ npx ringfence

Auto-detects your OS and sets up bubblewrap (Linux) or Docker (macOS). Then every npm install runs sandboxed.

Protected

What ringfence hides

Every install runs in a clean room. These never reach postinstall scripts.

🔒 Credentials
  • .env, .env.*
  • .netrc, .pgpass
  • credentials, secrets
🗡 SSH & TLS keys
  • id_rsa*, id_ed25519*
  • *.pem, *.key, *.crt
  • known_hosts
Cloud config
  • ~/.aws, ~/.azure
  • service-account*.json
  • gcloud-*.json
Environment vars
  • *TOKEN*, *SECRET*
  • *API_KEY*, *PASSWORD*
  • AWS_, GITHUB_, NPM_
📄 Certificates
  • *.pfx, *.p12, *.jks
  • *.gpg, *.asc
  • *.cer, *.keystore
🛡 Entire $HOME
  • Replaced with tmpfs
  • ~/.ssh, ~/.gnupg hidden
  • Except ~/.npmrc, ~/.yarnrc

~/.npmrc and ~/.yarnrc are mounted read-only so private registry auth still works. Everything else in $HOME is invisible.