I compiled a list of NPM best practices one can adopt to reduce supply chain attack risks (even if there's no perfect security preventions, _always_): https://github.com/bodadotsh/npm-security-best-practices

Discussion on HN last time: https://news.ycombinator.com/item?id=45326754

▲

herpdyderp 3 hours ago | parent | next [-]

For anyone publishing packages for others to use: please don't pin exact dependency versions. Doing so requires all your users to set "overrides" in their own package.json when your dependencies have vulnerabilities.

▲

btbuildem 2 hours ago | parent | prev | next [-]

I have a shorter list of NPM best practices:

1. Don't

▲

giantg2 5 hours ago | parent | prev [-]

Do you know of anything similar for pip?

	▲	kernc 2 hours ago \| parent \| next [-]
		No.1: Run untrusted code in a sandbox! https://github.com/sandbox-utils/sandbox-venv
	▲	bodash 5 hours ago \| parent \| prev [-]
		Most of the best practices can be translated to python ecosystem. It’s not exact 1:1 mapping but change few key terms and tools, the underlying practices should be the same. Or copy that repo’s markdown into an llm and ask it to map to the pip ecosystem