Skip to main content

PMG Repository

View the PMG source code and contribute on GitHub
Package Manager Guard (PMG) wraps your package manager and blocks malicious packages at install time.
PMG requires no configuration - just install and use it as you normally would with your package managers.
For what PMG is and how it works, see the PMG overview.

Installation

brew install safedep/tap/pmg

Using Go Install

go install github.com/safedep/pmg@latest

Download Binary

Download the latest release from our GitHub releases page and add it to your PATH.

Quick Setup

Run PMG’s automated setup: 
# Install shell aliases automatically
pmg setup install
This command:
  • Creates ~/.pmg.rc with package manager aliases
  • Adds a source line to your shell configuration files
  • Supports bash, zsh, and fish shells
After running pmg setup install, restart your terminal or run source ~/.zshrc (or your shell’s config file) to activate the aliases.

Manual Usage (Alternative)

To run PMG without aliases: 
pmg npm install <package-name>
pmg pnpm add <package-name>
pmg pip install <package-name>
If PMG detects a malicious package, it blocks the install and displays a warning.

Supported Package Managers

PMG supports these package managers:
Package ManagerStatusCommand
npmActivepmg npm install <package>
npxActivepmg npx <package> <action>
pnpmActivepmg pnpm add <package>
pnpxActivepmg pnpx <package> <action>
bunActivepmg bun add <package>
pipActivepmg pip install <package>
uvActivepmg uv add <package> or pmg uv pip install <package>
poetryActivepmg poetry add <package>
yarnActivepmg yarn add <package>

Troubleshooting

If PMG isn’t working after setup

  1. Restart your terminal
  2. Check that interception is active: which npm should resolve to ~/.pmg/bin/npm (the PMG shim). If it points to system npm, make sure ~/.pmg/bin is early in your $PATH, or run type npm to check for a shell alias.
  3. Verify PMG installation: pmg version

If packages are incorrectly blocked

  1. Run with --verbose to see detection details
  2. Check the SafeDep community for known issues
  3. Report false positives on GitHub Issues

Next Steps

Run pmg --help to see all available commands and options. PMG runs transparently in the background and only surfaces when it blocks a malicious package.