| ▲ | mschuster91 4 hours ago | |
An idea might be to not just pin "package xyz allowed", but "package xyz postinstall allowed with hash <1234>". | ||
| ▲ | jffry 3 hours ago | parent [-] | |
The default behavior for the automated "add everything existing to the allowlist" is to include the specific version: https://docs.npmjs.com/cli/v11/using-npm/config#allow-script... Together with a lockfile that does achieve "package xyz postinstall allowed with hash <1234>" | ||