Can anyone tell me if yarn just as vulnerable as NPM? Isn't it the packages that are vulnerable and not the package manger software itself?

▲

cluckindan 5 days ago | parent [-]

No, the ”vulnerability” here is npm unilaterally allowing postinstall scripts, which are then used as an entry point for malware.

Of course, the malware could just embed itself as an IIFE and get launched when the package is loaded, so disallowing postinstall is not really a security solution.

	▲	paulhodge 5 days ago \| parent \| next [-]
		Pnpm 10.x also has a feature to disallow post-install scripts by default. When using Pnpm you have to specifically enable a dependency to let it run its post-install scripts. It's a great feature that should be the standard. Yes if someone compromises a package then they can also inject malicious code that will trigger at runtime. But the thing about the recent NPM supply chain attack - it happened really quickly. There was a chain reaction of packages that got compromised which lead to more authors getting compromised. And I think a big reason why it moved so quickly was because of post-install scripts. If the attack happened more slowly, then the community would have more time to react and block the compromised packages. So just slowing down an attack is valuable on its own.
	▲	bamboozled 5 days ago \| parent \| prev [-]
		Interesting, thanks, it contradicts what was said on another similar post.