Where Chainsaw fits
Pinning, cooldowns, blocklists, SCA. Chainsaw sits behind them.
Four common ways teams try to keep a bad package out of a build. They solve different parts of the problem, and most of them stack.
This page concedes what the alternatives do well before saying where they stop. The honest version is more convincing than the flattering one — the audience already knows the alternatives, and will trust us more for being fair about them.
| Approach | When it acts | What it's good at | Where it stops |
|---|---|---|---|
| Lockfile pinning | At resolve | Reproducible builds, no surprise upgrades. | A pinned package that later gets a compromised version still gets pulled once you bump it. Doesn't judge intent. |
| Dependency cooldown pnpm minimumReleaseAge | At resolve | Cheap, free, catches fast-reverted compromises. | Probabilistic — relies on someone else getting burned first. No org-wide enforcement. Misses a cooled-then-compromised trusted maintainer. |
| Malicious-package blocklist Safe Chain, etc. | At install | Blocks known-bad against a feed, free. | Only as good as the feed's coverage. A blocklist isn't a policy you can shape per team. |
| SCA scanner Snyk · Sonatype · Mend | After install | Inventory, CVE matching, license checks. | Reports after the install script already ran. CVE-centric, weaker on behavioral supply-chain signals. Alert volume. |
| Chainsaw — free CLI | At install, offline | Blocks known-malicious + typosquats for npm/PyPI/Go/Rust/Ruby, same engine each. No account. | No deep install-script behavioral analysis on the laptop — that's the proxy. |
| Chainsaw — proxy | At install, on the path | 25 signals beyond CVE: install-script exfiltration, maintainer takeover, publish-velocity. Monitor mode. Enforcement across CI, endpoint, network. | npm and PyPI have full behavioral parity. Some signals thin or absent on registries without per-version publisher metadata. |
Before you assume it's "another SCA tool"
It isn't, and the difference is timing. A scanner looks at what you already installed. Chainsaw decides whether the install happens. An install script that steals your env vars runs the moment the package lands — before any scanner reads it. That's the whole reason the category exists.
So the honest framing: SCA reports, Chainsaw refuses, and most teams should run both. We're not trying to replace your scanner's inventory or its CVE feed. The full SCA head-to-head is here.
On cooldowns, since it's the first thing people say
Cooldowns are good. We mean that. A one-day or seven-day delay on new versions dodges a lot of smash-and-grab compromises that get yanked within hours. Two things a cooldown doesn't give you:
- Enforcement. A cooldown is a setting each developer can have or not have. Chainsaw is a policy the org applies at the proxy, so CI and laptops follow the same rules — and you can prove it.
- Coverage of the slow attack. A Shai-Hulud-style worm spreads through maintainers you already trust and packages that already passed their cooldown window. A delay doesn't see that. Behavioral signals do.
Keep your cooldown. Chainsaw sits behind it and catches the cases it can't.
What we will not claim
- We won't pretend the free CLI does behavioral install-script analysis. It does typosquat and known-malicious blocking offline; the behavioral signals live in the proxy. We'll tell you which tier you're getting.
- We won't claim "zero false positives" as a blanket. What we'll show is a scoped, reproducible number: 0 false blocks across the top 749 npm + PyPI packages (behavioral path), from a harness you can re-run. On the catch side, 70% of real malware flagged by behavioral analysis alone — before it's in any feed (597 archived real-world samples). Better still, monitor mode shows the number on your dependencies before you enforce anything.
- We won't use a customer logo until a customer says yes.
If any of that changes, this page changes with it.
No product pitch — just the teardowns
We publish a short teardown of notable supply-chain incidents, about once a month
What happened, what actually stopped it, where Chainsaw would and wouldn't have caught it. If that's useful, the list is here.