I enjoy hating on npm as much as the next guy, but this isn’t their fault. The premise is: you give a 3rd party service (travis-CI) access to your private credentials AND you give a 3rd party service (greenkeeper) permission to run arbitrary code (insecure npm package) against those credentials. That ain’t right. A stronger security policy is to audit code before running it. Even if we remove travisCI & greenkeeper from the picture, I could still yarn outdated and upgrade to a dangerous package version & it could steal all my code (including my local .npmcrc and .env!) If you don’t trust the package, do a security audit on it. If it passes, lock in the version. If it ain’t broke, don’t fix it… and especially don’t let a robot fix it while it’s holding the keys to the castle :-).