Comment by jMyles
1 hour ago
To delay updates, you mean?
I'm curious though: how do you avoid being stuck on the _vulnerable_ versions, delaying updates?
1 hour ago
To delay updates, you mean?
I'm curious though: how do you avoid being stuck on the _vulnerable_ versions, delaying updates?
pnpm disables all install scripts by default and makes it trivial to whitelist the few you need. It's usually just one or two, or sometimes zero, depending on the project. Even without malware, most postinstall scripts are used for spam and analytics, and running them makes your life worse.
npm should have died long ago, I don't know why it's still being used.