| ▲ | herpdyderp 5 days ago |
| If I was forced to wait to download my own package updates I would simply stop using npm altogether and use something else. |
|
| ▲ | kaelwd 5 days ago | parent | next [-] |
| It would be fine if you could still manually specify those versions eg. npm i duckdb@1.3.3 installs 1.3.3 but duckdb@latest or duckdb@^1.3 stays on 1.3.2 until 1.3.3 is ~a week old. https://github.com/pnpm/pnpm/issues/9921 |
| |
| ▲ | ApolloFortyNine 5 days ago | parent | next [-] | | Except they'd have to have an override for when there's a zero day, at which point we're back where we started. | | |
| ▲ | kaelwd 5 days ago | parent [-] | | Versions with a serious vulnerability should be deprecated by the maintainer which then warns you to use a newer version when installing. Yes if a npm account is compromised the attacker could deprecate everything except their malicious version but it would still significantly reduce the attack surface by requiring manual intervention vs the current npm install foo@latest -> you're fucked. |
| |
| ▲ | herpdyderp 5 days ago | parent | prev [-] | | Brilliantly simple, that would work for me! |
|
|
| ▲ | balder1991 5 days ago | parent | prev [-] |
| It could be done like a rollout in % over time like app stores do. |
