undefined | Better HN

0 pointsktRolster10y ago0 comments

The article suggests this:

  >
  >As a user who owns modules you should not stay logged into npm. (Easily enough, npm logout and npmlogin)
  >Use npm shrinkwrap to lock down your dependencies
  >Use npminstall someModule --ignore-scripts
  >

I would add to toss a glance at the libraries you import every once in a while. Just to make sure they look sane.

0 comments

u22334410y ago

--ignore-scripts won't help much. The act of using any npm module means you implicitly trust all the javascript code in the module and any of its dependencies. Has anyone taken the time to inspect every line of the dozens of modules that many common packages pull in? Not likely.

j / k navigate · click thread line to collapse

0 pointsktRolster10y ago0 comments

The article suggests this:

  >
  >As a user who owns modules you should not stay logged into npm. (Easily enough, npm logout and npmlogin)
  >Use npm shrinkwrap to lock down your dependencies
  >Use npminstall someModule --ignore-scripts
  >

I would add to toss a glance at the libraries you import every once in a while. Just to make sure they look sane.

0 comments

u22334410y ago

j / k navigate · click thread line to collapse