| ▲ | Tazerenix 12 hours ago | |
NPM only gained minimum package age in February of this year, and still doesn't support package exclusions for internal packages. https://github.com/npm/cli/pull/8965 https://github.com/npm/cli/issues/8994 Its good that that they finally got there but.... I would be avoiding npm itself on principle in the JS ecosystem. Use a package manager that has a history of actually caring about these issues in a timely manner. | ||
| ▲ | jadar 2 hours ago | parent [-] | |
It almost doesn't matter, because you can get pwned by a transitive dependency. If someone doesn't have the same scruples as you have, you're still at risk. | ||