Skip to main content
v0.3.2
11 Jan 2026

Package Executor Support & Enhanced Proxy Mode

PMG v0.3.2 updates banner

New Package Executor Support

PMG now supports package executors npx and pnpx, expanding protection beyond traditional package managers to include package execution scenarios.

Usage Examples

# Protection for npx commands
pmg npx create-react-app my-app

# Protection for pnpx commands  
pmg pnpx create-next-app my-next-app

Enhanced Experimental Proxy Mode

The experimental proxy mode has been expanded to support additional package managers: bun, yarn, pnpm, npx, and pnpx.

Usage

# Now supported with proxy mode
pmg --experimental-proxy-mode bun install lodash
pmg --experimental-proxy-mode yarn add lodash
pmg --experimental-proxy-mode pnpm install lodash

pmg --experimental-proxy-mode npx create-react-app my-app
pmg --experimental-proxy-mode pnpx create-next-app my-app

Supported Package Managers For Proxy

Package ManagerStatus
npm✅ Active
npx✅ Active
pnpx✅ Active
pnpm✅ Active
yarn✅ Active
bun✅ Active
pip🕒 Planned
uv🕒 Planned
poetry🕒 Planned
For more details see: PMG DocsGitHub Repository: https://github.com/safedep/pmg
v0.3.1
9 Jan 2026

Trusted Packages & Experimental Proxy Mode

New PMG updates banner

Trusted Packages

pmg allows you to trust a package. Trusted packages are not scanned and always allowed to be installed.

Configuration

Trusted packages are configured in the config.yml file. See config template for the configuration schema. If you don’t have a config.yml file, you can create one by running pmg setup install.

Example

trusted_packages:
- purl: pkg:npm/@safedep/pmg
  reason: "All versions of PMG are trusted"
- purl: pkg:npm/[email protected]
  reason: "Version 4.18.0 of Express is a trusted package"

Proxy Mode

PMG supports an experimental proxy-based interception as an alternative to the current optimistic dependency resolution. When enabled via --experimental-proxy-mode flag:
  • PMG starts a micro-proxy server on a random localhost port
  • Runs npm and other supported package managers configured to use the proxy
  • Intercepts package registry requests and analyzes packages as they are downloaded
  • Blocks malicious packages and allows trusted packages to be installed

Usage

pmg --experimental-proxy-mode npm install lodash

Configuration

To permanently enable proxy mode, add the following to your config.yml file:
experimental_proxy_mode: true

Supported Package Managers

Package ManagerStatus
npm✅ Active
npx🕒 Planned
pnpx🕒 Planned
pnpm🕒 Planned
yarn🕒 Planned
bun🕒 Planned
pip🕒 Planned
uv🕒 Planned
poetry🕒 Planned
For more details see: PMG DocsGitHub Repository: https://github.com/safedep/pmg