Comment by efortis

fs and net can be mitigated with `--permission`

https://nodejs.org/api/permissions.html

Regardless, it’s worth using `--ignore-scripts=true` because that’s the common vector these supply chain attacks target. Consider that when automating the attack, adding it to the application code is more difficult than injecting it into life-cycle scripts, which have well-known config lines.