| ▲ | n_e 3 hours ago | |
> Anyone know of a better way to protect yourself than setting a min release age on npm/pnpm/yarn/bun/uv (and anything else that supports it)? With pnpm, you can also use trustPolicy: no-downgrade, which prevents installing packages whose trust level has decreased since older releases (e.g. if a release was published with the npm cli after a previous release was published with the github OIDC flow). Another one is to not run post-install scripts (which is the default with pnpm and configurable with npm). These would catch most of the compromised packages, as most of them are published outside of the normal release workflow with stolen credentials, and are run from post-install scripts | ||
| ▲ | eranation 2 hours ago | parent [-] | |
Yep! depsguard sets trustPolicy: "no-downgrade" where applicable. | ||