| ▲ | sync 11 hours ago | |
That’s weird, pnpm no longer automatically runs lifecycle scripts like preinstall [1], so unless they were running a very old version of pnpm, shouldn’t they have been protected from Shai-Hulud? | ||
| ▲ | ItsHarper 10 hours ago | parent | next [-] | |
At the end of the article, they talk about how they've since updated to the latest major version of pnpm, which is the one with that change | ||
| ▲ | e40 11 hours ago | parent | prev | next [-] | |
Yeah, I thought that was the main reason to use pnpm. Very confused. | ||
| ▲ | pverheggen 10 hours ago | parent | prev | next [-] | |
Maybe the project itself had a postinstall script? It doesn't run lifecycle scripts of dependencies, but it still runs project-level ones. | ||
| ▲ | agilob 6 hours ago | parent | prev [-] | |
Let me understand it fully. That means they updated dependencies using old, out of date package manager. If pnpm was up to date, this would no have happened? Sounds totally like their fault then | ||