Comment by brw
2 months ago
Isn't that what lockfiles are for? By default `npm i` downloads exactly the versions specified in your lockfile, and only resolves the latest versions matching the ranges specified in package.json if no lockfile exists. But CI/CD pipelines should definitely be using `npm ci` instead, which will only install packages from a lockfile and throws an error if it doesn't exist.
That and pin that damn version!
It’s still ridiculous to me that version pinning isn’t the default for npm.
The first thing I do for all of my projects is adding a .npmrc with save-exact=true
save-exact is mostly useless against such attacks because it only works on direct dependencies.
1 reply →