| ▲ | mirekrusin 6 days ago | |||||||
name + version are immutable, you can't republish packages in npm under existing version. you can only unpublish. content hash integrity is verified in lockfiles. the problem is with dependencies using semver ranges, especially wide ones like "debug": "*" initiatives like provenance statements [0] / code signing are also good complement to delayed dependency updates. also not running as default / whitelisting postinstall scripts is good default in pnpm. modifying (especially adding) keys in npmjs.org should be behind dedicated 2fa (as well as changing 2fa) | ||||||||
| ▲ | __MatrixMan__ 6 days ago | parent [-] | |||||||
Those are promises that npm intends to keep, but whether they do or not isn't something that you as a package user can verify. Plus there's also the possibility that the server you got those bits from was merely masquerading as npm. The only immutability that counts is immutability that you can verify, which brings us back to cryptographic hashes. | ||||||||
| ||||||||