How to prevent other team member installing new npm package?

Requirements:

• Only the project owner can install new npm package.
• npm install should work for local development and CI/CD pipeline.
• When other team member run npm install <PackageName> command, it should print an error message like: "Installing new npm package is prevent, please contact the project owner."

Motivation: I don't want other team member install package at will. I want to limit this behavior through code or script.

This is an optional-based question, Thanks for any advice.

Comments

[Alex Lohr]

I believe you should focus on your repository and process (code review) in order to allow your team to earn your trust instead of preventing them from explorative use of external packages. Without trust, a team will never work smoothly, because everyone is watching their back. Also, document the handling of external packages in the README so that everyone can get the rationale behind it.

[Makar]

You can

1. Restrict pushing to main branches directly, only pull requests are allowed
2. Draft a GitHub Actions script to compare the verify package.json's hash matches a predefined hash (i.e. the file is the same as before)
3. Make that GitHub action mandatory to merge any PR

[Muhammad Uzair]

You probably need to find a way to restrict write access to package.json file,

This Stack overflow question can be helpful

[Luna]

Came across on old yarn issue that gave the following solution:

  "engines": {
    "npm": "anythingthatisntavalidversion",
    "yarn": "anythingthatisntavalidversion"
  }

within your package.json and

engine-strict = true

in a file called .npmrc

[Luna]

This only prevents the use though and doesn't return a reply like the example you gave

[JasonCubic]

Build a ci step in GitHub actions to error out when a dependency is added. Have it run on all PR's.