Automic Vault

brew package intelligence

node

Automic Vault tracks node because plain text publishing token matters when AI agents run command-line tools on macOS.

Read docs Run scanner

overview

What Automic Vault knows about node

Open-source, cross-platform JavaScript runtime environment

Homepage

Not present in the local metadata.

Commands and aliases

No executable aliases were found in the local package database.

radioisotope

Plain Text Publishing Token

`npm publish` commonly relies on an auth token stored in ~/.npmrc. Our isotope stores that token in the macOS keychain and injects it only when `npm publish` runs.

Local README excerpt

Node Radioisotope

This radioisotope modifies the Homebrew node package, but only changes the installed npm launcher. node and npx continue to run without isotope credential injection.

Security Model

Plaintext npm publishing tokens are commonly stored in ~/.npmrc as _authToken entries. The migration stores one token in the Automic Vault isotope keychain as NODE_AUTH_TOKEN and rewrites matching npm config entries to reference ${NODE_AUTH_TOKEN}.

The post-install hook wraps /opt/node/bin/npm. The wrapper injects NODE_AUTH_TOKEN only when an npm publish invocation is detected, then execs the original npm launcher.

Caveats

  • Only one npm publishing token is supported.
  • Multiple distinct _authToken values fail migration and must be handled

manually.

  • Project-level npm configs are not migrated; only the npm user config is

inspected.

Source: data/radioisotopes/node/README.md

Caveats

  • We currently support one npm publishing token.
  • Existing npm config entries are rewritten to reference NODE_AUTH_TOKEN.

approval gates

Human review metadata for risky commands

The local approval-gate seed includes 8 rules for node. Covered entrypoints: corepack, node, npm, npx. Severity labels: critical, high, medium.

Example gated actions

  • Open-source, cross-platform JavaScript runtime environment
  • Execute inline JavaScript supplied on the command line.
  • Load custom import hooks or require hooks before executing code.
  • Publish a package to the npm registry.
  • Install npm packages into a global executable location.
  • Remove package versions from the npm registry.
  • Download and execute a package by name.

install metadata

Resolver facts

Package keybrew:node
Last updated2026-05-08T04:15:56Z
Pulseupdated

source trail

Generated from repository data

This page is regenerated by scripts/generate-pkg-pages.py. Deployments refuse to publish if www/pkg/ is stale relative to local package data.

Used sources

  • Nucleus package database
  • approval-gate seed metadata
  • local isotope README
  • radioisotope security manifest