One of my projects uses an impacted version. However, we use bun as a package manager. Thrilled bun protected us by default!

> executing arbitrary scripts represents a potential security risk, so—unlike other npm clients—Bun does not execute arbitrary lifecycle scripts by default.

▲

ec109685 5 days ago | parent [-]

Can’t the exploit just be encoded in files that are used when the npm module is actually used?

It seems like not running it at package install time doesn’t afford that much protection.

	▲	bapak 5 days ago \| parent [-]
		Correct. Pretty limited as a protection when the first thing you do after installing a package is running it. Literally the only thing blocking scripts protects you from is if a package is bundled by webpack and not run by node. If the compromise happens in nx, it's just run after up type nx[enter] in your command line.