| ▲ | ptrl600 5 days ago |
| Is there a way to configure npm that it only installs packages that are, like, a week old? |
|
| ▲ | feross 5 days ago | parent | next [-] |
| Disclosure: I’m the founder of https://socket.dev A week waiting period would not be enough. On average, npm malware lingers on the registry for 209 days before it's finally reported and removed. Source: https://arxiv.org/abs/2005.09535 |
| |
| ▲ | ptrl600 4 days ago | parent [-] | | OK, a week for popular packages, anything else I'd manually review each update. It'd be a nice feature. |
|
|
| ▲ | HatchedLake721 5 days ago | parent | prev [-] |
| Don’t auto install latest versions, pick a version up to a patch and use package-lock.json |
| |
| ▲ | mdaniel 5 days ago | parent [-] | | That's only half the story, as I learned yesterday <https://news.ycombinator.com/item?id=45172213> since even with lock files one must change the verb given to npm/yarn to have them honor the lock file So, regrettably, we're back to "train users" and all the pitfalls that entails | | |
| ▲ | 3np 4 days ago | parent [-] | | More importantly, avoid yarn[0] if you have a choice. They do not have a security posture fitting for 2025. There's way too much assumptions like "helpful" "magic" guessing/inferring what the user "actually wants" to "make things just work". See also: corepack. [0]: legacy 1.x projects aside |
|
|
