| ▲ | naugtur 3 days ago | |||||||
packages published to npm are immutable. if you pin a version, you get the same exact version as long as MSFT servers are not compromised. Installing from git is not recommended and has more issues than you might think https://dev.to/naugtur/a-phish-on-a-fork-no-chips-52cc You are supposed to update packages, even if you use lockfiles (very common) or tools that pin your direct dependencies (renovate etc. not so common) And when you do update, will you read the package and all of its updated dependencies? It's a hard problem with a bunch of tradeoffs. Can be done, with enough attention and tools. Tools include LavaMoat :) | ||||||||
| ▲ | whilenot-dev 3 days ago | parent | next [-] | |||||||
> packages published to npm are immutable. Depends how you'd refer to them... tags ("@latest", "@next" etc.) are not immutable and it's best to rely on the checksums in the lock file. | ||||||||
| ▲ | clbrmbr 3 days ago | parent | prev [-] | |||||||
Re: updates: I was just thinking of waiting a few weeks on the updates to allow compromised packages to be discovered. | ||||||||
| ||||||||