Rendered at 11:51:02 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
jaen 17 hours ago [-]
but... why not just use pnpm? It's generally a straightforward migration.
It has dependency cooldowns, build scripts disabled by default, and the setting you mentioned.
gkiely 14 hours ago [-]
The simplest reason might be that it's not the default so people use npm out of habit.
Personally, I use volta and switch between node versions in different projects, so I prefer to just use npm.
pjmlp 1 days ago [-]
The solution already exists.
Nexus, Artifactory, and many others.
Security minded organisations don't allow cowboy installs into projects, the systems are configured to use internal repos and only IT validated packages got uploaded into them.
Still it might be of value to single devs.
gkiely 15 hours ago [-]
Yeah, this is just for anyone using node on their local machine.
Enabling `ignore-scripts=true` protects you from almost all of the recent compromises `min-release-age=3` protects you from the rest. But you still typically need trusted dependency builds, which this script solves.
I hope that npm enables this by default in the future.
edoceo 1 days ago [-]
Yet again I'm asking folk to look at this artifact mirror that was Show HN a few months ago.
It has dependency cooldowns, build scripts disabled by default, and the setting you mentioned.
Personally, I use volta and switch between node versions in different projects, so I prefer to just use npm.
Nexus, Artifactory, and many others.
Security minded organisations don't allow cowboy installs into projects, the systems are configured to use internal repos and only IT validated packages got uploaded into them.
Still it might be of value to single devs.
Enabling `ignore-scripts=true` protects you from almost all of the recent compromises `min-release-age=3` protects you from the rest. But you still typically need trusted dependency builds, which this script solves.
I hope that npm enables this by default in the future.
https://github.com/artifact-keeper
It's currently my favourite package gate keeper - after a few years of self-built jank