Comment by AndreasHae
2 months ago
It’s still ridiculous to me that version pinning isn’t the default for npm.
The first thing I do for all of my projects is adding a .npmrc with save-exact=true
2 months ago
It’s still ridiculous to me that version pinning isn’t the default for npm.
The first thing I do for all of my projects is adding a .npmrc with save-exact=true
save-exact is mostly useless against such attacks because it only works on direct dependencies.
Why, though?