How sandbox runs risky installs in a throwaway container

15 Jun 2026

@jagreehal/sandbox-node runs your npm install in a throwaway container that can see your project and the registry, and nothing else.

Install scripts still run. node-gyp still builds. Your SSH keys, npm token, cloud credentials, and .env are not in the box, so a malicious dependency has nothing to steal and nowhere to send it.

How to put sandbox in front of npm, pnpm, yarn, and bun

15 Jun 2026

Get the sandbox command, run one setup step, and put sandbox in front of the commands you already run.

New to Node, or not sure why npm install is risky in the first place? Start with why install-time code is a trust decision, then what running it in a throwaway container buys you. Otherwise, read on.

Arrange Act Assert

Jag Reehals thinking on things, mostly product development

Tag: pnpm

How sandbox runs risky installs in a throwaway container

How to put sandbox in front of npm, pnpm, yarn, and bun