The install step is the most dangerous moment in your day

A compromised dependency does its damage at install time. Post-install scripts run, code executes, and by the time a scanner notices, it has already touched the machine. The defence that matters is the one that acts before that moment.

Why “after” is too late

Vulnerability dashboards and audit reports are useful, but they look backwards. They tell a developer what is already installed. An attacker who slips a malicious version into a popular package is counting on that gap — the hours or days between publish and detection — to reach as many machines as possible.

Freshly published releases are the sharp edge of this problem. A brand-new version has had the least scrutiny, so it is both the most likely to be malicious and the least likely to be flagged yet.

Move the check earlier

A pre-install gate changes the order of operations. It resolves what a package manager is about to install, checks each package against the public vulnerability databases — NIST NVD, OSV.dev, the GitHub Advisory database — and fails closed if anything is known-bad or suspiciously new. Nothing is written, nothing is executed, until the check passes.

That is the whole idea behind the 5bats CVE gates for pip, Composer and Homebrew: make the safest moment the default one, with no extra step to remember.

Fail closed, stay boring

Security tooling earns trust by being predictable. A 5bats gate that cannot verify something denies it — every time, with no surprises. Boring, default-on protection beats clever protection that waits to be configured.