| ▲ | rybosome 2 days ago | ||||||||||||||||
> it’s got me nervous to use Python or Node.js these days My feelings precisely. Min package age (supported in uv and all JS package managers) is nice but I still feel extremely hesitant to upgrade my deps or start a new project at the moment. I don’t think this is going to stabilize any time soon, so figuring out how to handle potentially compromised deps is something we will all need to think about. | |||||||||||||||||
| ▲ | Tazerenix 2 days ago | parent | next [-] | ||||||||||||||||
NPM only gained minimum package age in February of this year, and still doesn't support package exclusions for internal packages. https://github.com/npm/cli/pull/8965 https://github.com/npm/cli/issues/8994 Its good that that they finally got there but.... I would be avoiding npm itself on principle in the JS ecosystem. Use a package manager that has a history of actually caring about these issues in a timely manner. | |||||||||||||||||
| |||||||||||||||||
| ▲ | arcfour 2 days ago | parent | prev [-] | ||||||||||||||||
PNPM makes you approve postinstall scripts instead of running them by default, which helps a lot. Whenever I see a prompt to run a postinstall script, unless I know the package normally has one & what it does, I go look it up before approving it. (Of course I could still get bitten if one of the packages I trust has its postinstall script replaced.) | |||||||||||||||||
| |||||||||||||||||