| ▲ | kpcyrd 3 hours ago | |
Also, don't use npx. With the colors incident back in 2022, random stuff started to break not when people updated their dependencies, but immediately, because npx would resolve dependencies when the command is executed. This means it's not really possible to reason about what code is going to execute, and forensics is going to have a really hard time figuring out what a computer has executed. If your software uses npx in any capacity, you've auto-failed the SBOM compliance checkbox. | ||
| ▲ | potamic 2 hours ago | parent [-] | |
> npx would resolve dependencies when the command is executed I hate that this is becoming a thing. I was pretty miffed some time back when I realized go build just went ahead and installed a whole new version of golang on my machine. These are devtools ffs, why so much mollycoddling! And what happened to half a century of good conventions where the default is always to prompt? | ||