| ▲ | mdaniel 5 days ago | |
That's only half the story, as I learned yesterday <https://news.ycombinator.com/item?id=45172213> since even with lock files one must change the verb given to npm/yarn to have them honor the lock file So, regrettably, we're back to "train users" and all the pitfalls that entails | ||
| ▲ | 3np 4 days ago | parent [-] | |
More importantly, avoid yarn[0] if you have a choice. They do not have a security posture fitting for 2025. There's way too much assumptions like "helpful" "magic" guessing/inferring what the user "actually wants" to "make things just work". See also: corepack. [0]: legacy 1.x projects aside | ||