Comment by benoau
4 days ago
Or just 'npm ci' so you install exactly what's in your package-lock.json instead of the latest version bumps of those packages. This "automatic updating" is a big factor in why these attacks are working in the first place. Make package updating deliberate instead of instant or on an arbitrary lag.
You'd be surprised how many people run 'npm i' in their CI. I've seen this on multiple occasions.
'npm ci' is some mitigation, but doesn't protect against getting hit when running 'npm i(nstall)' during development.
Update your knowledge. ”npm install” hasn’t done auto-upgrades for years now.
”npm install” does not auto-upgrade packages, it installs them according to the lockfile.
It didn’t always work like that, but it has worked like that for many years.