"Is this package safe?" is the query agents and developers run constantly right before they install. Here's a repeatable answer, not a vibe check.
1. Confirm the exact name
Typosquats swap letters, add hyphens, or flip scoped/unscoped. Copy the name from official docs; don't type it or let an agent guess it.
2. Inspect the registry metadata
# npm
npm view left-pad
npm view left-pad maintainers time.modified dist.tarball repository.url
# PyPI
pip index versions requests
pip show requests # after install, or use the JSON API: https://pypi.org/pypi/requests/json
Look for: a real repository URL that resolves to active source, a plausible maintainer set, and a release history that isn't a single surprise version.
3. Read the install scripts
A package that runs network calls or shell in postinstall deserves scrutiny. On npm you can
install without running them:
npm install --ignore-scripts some-pkg
4. Check advisories for the exact version
osv-scanner --lockfile package-lock.json
# or query OSV directly: https://osv.dev
5. Weigh the signals
- Green: active repo, multiple maintainers, steady releases, downloads consistent with age.
- Red: brand-new package with a popular-sounding name, lone maintainer, sudden version bump across many of your deps at once, obfuscated install scripts.
Two minutes of this catches the large majority of typosquat and account-takeover cases.