TypeScript's compiler is trustworthy; the exposure is the ecosystem around it — ts-node,
loaders, and the thousands of @types/* packages you pull without reading.
Install
npm install -D typescript
npx tsc --init # generates tsconfig.json
Where risk enters
@types/*packages are published by many different authors via DefinitelyTyped; a typosquatted or malicious types package is a real vector. Confirm the name maps to the library you use.- Loaders/runners (
ts-node, SWC, esbuild plugins) execute code at build/run time — treat them as privileged. tsconfig"extends" can pull a shared config from a package; that package is code you trust implicitly. Review it.
Verify before adding
npm view @types/node maintainers repository.url
osv-scanner --lockfile package-lock.json