Landing/Setting Page
Result page

🌱 Project Story — SafeForge NPM

About the Project

SafeForge NPM started from a simple but uncomfortable realization:
we trust a lot of code that we never actually see.

Modern software development relies heavily on third‑party packages. Installing one dependency often means pulling in dozens or even hundreds of others. Most of the time, this works — until a supply‑chain attack shows up and reminds us that this trust is often blind.

SafeForge NPM explores a different question:
What if we could inspect a package before trusting it — not just by reputation or CVEs, but by observing what it actually tries to do?

💡 What Inspired Us

Over the past few years, software supply‑chain attacks have been increasing across the industry. These attacks don’t look like traditional hacks. They often involve packages that appear legitimate, pass standard checks, and only reveal their intent during installation or runtime.

What stood out to us was that most tools focus on what is already known, while many real attacks succeed in the unknown window — before anything is officially reported.

That gap is what inspired SafeForge NPM.

🛠️ How We Built It

SafeForge NPM is a dashboard‑first supply‑chain intelligence platform.

At a high level, the workflow looks like this:

express@4.17.1

Resolve the full recursive dependency tree
Check known vulnerabilities using advisory databases
Execute the package inside a hardened sandbox
Observe runtime behavior such as network calls and command execution
Generate an explainable risk verdict

Instead of overwhelming users with raw logs, SafeForge focuses on clear, evidence‑based explanations that help people make informed decisions.

📚 What We Learned

Building SafeForge NPM taught us a few important lessons:

A package with zero known CVEs can still be risky
Behavior often matters more than popularity or reputation
Security tools should explain why something is risky, not just flag it
Visual context (graphs, evidence, timelines) makes security decisions easier

We also learned that AI is most useful in security when it is defensive and transparent, helping humans understand risk rather than acting as a black box.

Sometimes, risk grows faster than we expect — not linearly with dependency count (n), but closer to:

$$ ext{Risk} \propto ( ext{Dependency Depth})^2 $$

⚙️ Challenges We Faced

One of the biggest challenges was balancing depth and clarity. Supply‑chain security can become very technical very quickly, so we had to constantly simplify without losing meaning.

Designing safe sandbox execution was another challenge. We needed to observe real behavior without putting the host system at risk, which required conservative defaults and careful isolation.

Even recording the demo video on Linux introduced unexpected hurdles — a reminder that real‑world systems are often messy and imperfect.

Each challenge pushed us to refine both the product experience and the story we’re telling.

🚀 Why This Matters

SafeForge NPM is not trying to replace existing tools.
It aims to add visibility where there currently is none.

By combining known vulnerability intelligence with observed behavior, SafeForge helps teams make better decisions before a dependency becomes a liability.

Trust should be earned — not assumed.

Built With

ai/llm-apis
dependency
docker
github-advisory-database
graph
javascript
linux
node.js
npm-registry-api
nvd-cve-data
osv.dev-api
react
sandbox-execution
tailwind-css
typescript
vite

Updates

Absolute-Martin Shakya started this project — May 03, 2026 02:43 PM EDT

Leave feedback in the comments!

Log in or sign up for Devpost to join the conversation.