31·
3 days agoThat sounds more like bad practices from the community. It definitely has ways to use exact versions. Not the least of which the lock file. Or the shrinkwrap file which public packages should be using.
LurkingLuddite
- 0 Posts
- 4 Comments
Joined 3 months ago
Cake day: February 4th, 2026
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
Genuine question. How is NPM more vulnerable than other repos? Haven’t similar supply chain attacks succeeded at least as well as this one through GitHub itself and even Linux package repos?
81·1 month agoProgress… lol
I wouldn’t say pulling in higher versions is unsafe unless an attack like this succeeds. Otherwise it’s only an annoyance.