yeah it's such a pity deno's security features could have made recent npm attacks moot...

The recent npm supply chain attacks relied on lifecycle scripts, which Deno doesn't run by default, but neither do pnpm or Bun. While Deno, like npm, supports a minimum release age, it doesn't enable it by default.

	▲	sysguest 2 hours ago \| parent [-]
		well deno has 'allow-read' 'allow-write' kind of permission, so if something tries to read from my ~/.ssh or other important folder, it can just block it even with blocking lifecycle scripts, the attacker could have planted it somewhere else or just trick the dev somehow to run it

▲

cyanydeez 2 hours ago | parent | prev [-]

the problem was at the start of deno, it didn't integrate with npm; the same way Macintosh used to be free of virus and trojan horses was because people just didn't use it enough.