| ▲ | pjmlp a day ago | |
The solution already exists. Nexus, Artifactory, and many others. Security minded organisations don't allow cowboy installs into projects, the systems are configured to use internal repos and only IT validated packages got uploaded into them. Still it might be of value to single devs. | ||
| ▲ | gkiely 9 hours ago | parent [-] | |
Yeah, this is just for anyone using node on their local machine. Enabling `ignore-scripts=true` protects you from almost all of the recent compromises `min-release-age=3` protects you from the rest. But you still typically need trusted dependency builds, which this script solves. I hope that npm enables this by default in the future. | ||