Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
tiagod 5 days ago

Or use pnpm. The latest versions have all dependency lifecycle scripts ignored by default. You must whitelist each package.

chrisweekly 5 days ago | parent | next [-]

pnpm is not only more secure, it's also faster, more efficient wrt disk usage, and more deterministic by design.

norskeld 5 days ago | parent [-]

It also has catalogs feature for defining versions or version ranges as reusable constants that you can reference in workspace packages. It was almost the only reason (besides speed) I switched a year ago from npm and never looked back.

mirekrusin 5 days ago | parent [-]

workspace protocol in monorepo is also great, we're using it a lot.

dvfjsdhgfv 5 days ago | parent [-]

OK so it seems too good now, what are the downsides?

nawgz 5 days ago | parent | next [-]

‘pnpm’ is great, swapped to it a year ago after yarn 1->4 looked like a new project every version and npm had an insane dependency resolution issue for platform specific packages

pnpm had good docs and was easy to put in place. Recommend

c-hendricks 5 days ago | parent | prev | next [-]

If you relied on hoisting of transitive dependencies, you'll now have to declare that fact in a project's .npmrc

Small price to pay for all the advantages already listed.

no_wizard 5 days ago | parent [-]

They’re moving all that to the pnpm-workspace.yaml file now

mirekrusin 5 days ago | parent | prev | next [-]

Downside is that you have to add "p" in front, ie. instead of "npm" you have to type "pnpm". That's all that I'm aware of.

Nathanba 5 days ago | parent | prev | next [-]

A few years ago it didn't work in all cases when npm did. It made me stop using it because I didn't want to constantly check with two tools. The speed boost is nice but I don't need to npm install that often.

TheRoque 5 days ago | parent | prev [-]

Personally, I didn't find a way to create one docker image for each of my project (in a pnpm monorepo) in an efficient way

no_wizard 5 days ago | parent [-]

That’s not really a pnpm problem on the face of it

trw55 5 days ago | parent | prev | next [-]

Same for bun, which I find faster than pnpm

jim201 5 days ago | parent | prev [-]

This is the way. It’s a pain to manually disable the checks, but certainly better than becoming victim to an attack like this.