| ▲ | pier25 an hour ago | |
> none of them seem to want to abandon npm which keeps getting exploited and hacked Do you know of a better alternative for JS/TS that has all the popular packages? | ||
| ▲ | rglover 16 minutes ago | parent [-] | |
Not perfect, but I use Verdaccio to run my own npm server and for third party deps, I clone, eval, and then if it's clean, push a safe copy to my own server (not for everything, just the most sensitive, hardcore stuff but eyeballing building a tool to semi-automate it due to recent chaos). You can even clone from remote URLs (point to a tarball from package.json instead of a version) so I've considered just using a private bucket. Tedious, but makes the "npm hacked again" posts mostly moot. | ||