01walid

I'm using multiple Android apps for reading hackernews (Harmonic, Hacki, Materialistic), all of them struggle to fetch the current top news (frontpage news). I often need to refresh multiple times to get them to work. That specific endpoint feels like aggressively throttled.

However the web version works just fine.

Is it just me? Are other people facing the same problem?

The fact that any dependency can run a postinstall script is a supply chain attack risk!

I believe package managers (npm, pnpm, yarn ..) need to account for a `allowList`-like implementation to give more granularity to what dependency can run a postinstall, as opposed to the all-in or not `--ignore-scripts` option.

It can be made backward-compatible, where it's allowed by default if there's no allowList, else, only the allowed deps if present.

An empty array would be equivalant to `--ignore-scripts` by default.

Orgs/teams can define their own allowList and have it enforced as a policy or a recommendation.

I know this is not enough to fully mitigate suply chain attacks, but it'd be a postive step forward.

I'm not sure where to post such a proposal? npm ?