Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
vldszn 5 hours ago

friendly reminder:

- disable auto-updates for extensions in VS Code/Cursor

- use static analysis for GitHub Actions to catch security issues in pre-commit hook and on ci: https://github.com/zizmorcore/zizmor

- set locally: pnpm config set minimum-release-age 4320 # 3 days in minutes https://pnpm.io/supply-chain-security

- for other package managers check: https://gist.github.com/mcollina/b294a6c39ee700d24073c0e5a4e...

- add Socket Free Firewall when installing npm packages on CI to catch malware https://docs.socket.dev/docs/socket-firewall-free#github-act...

arandomhuman 3 hours ago | parent [-]

friendly reminder: use vim :)

IcyWindows an hour ago | parent | next [-]

If you are a person that installs extensions from public sources, it doesn't matter what IDE you use.

If you don't (or can't) install extensions, it also doesn't matter which IDE you use.

leni536 2 hours ago | parent | prev | next [-]

It honestly surprises me we don't hear news about vim/neovim plugin supply chain attacks.

arandomhuman 2 hours ago | parent [-]

probably a much smaller dependency graph (lesser usage of transitive dependencies)

vldszn 2 hours ago | parent | prev [-]

=)