Comment by tiagod
3 months ago
Or use pnpm. The latest versions have all dependency lifecycle scripts ignored by default. You must whitelist each package.
3 months ago
Or use pnpm. The latest versions have all dependency lifecycle scripts ignored by default. You must whitelist each package.
pnpm is not only more secure, it's also faster, more efficient wrt disk usage, and more deterministic by design.
It also has catalogs feature for defining versions or version ranges as reusable constants that you can reference in workspace packages. It was almost the only reason (besides speed) I switched a year ago from npm and never looked back.
workspace protocol in monorepo is also great, we're using it a lot.
8 replies →
Same for bun, which I find faster than pnpm
Bun still executes the scripts of a certain hardcoded list of 500 packages, it's not exactly the same.
This is the way. It’s a pain to manually disable the checks, but certainly better than becoming victim to an attack like this.