Comment by vldszn

3 hours ago

friendly reminder:

- disable auto-updates for extensions in VS Code/Cursor

- use static analysis for GitHub Actions to catch security issues in pre-commit hook and on ci: https://github.com/zizmorcore/zizmor

- set locally: pnpm config set minimum-release-age 4320 # 3 days in minutes https://pnpm.io/supply-chain-security

- add Socket Free Firewall when installing npm packages on CI to catch malware https://docs.socket.dev/docs/socket-firewall-free#github-act...

5 comments

vldszn

friendly reminder: use vim :)

IcyWindows 4 minutes ago

If you are a person that installs extensions from public sources, it doesn't matter what IDE you use.
If you don't (or can't) install extensions, it also doesn't matter which IDE you use.
leni536 1 hour ago
It honestly surprises me we don't hear news about vim/neovim plugin supply chain attacks.
- arandomhuman 21 minutes ago
  
  probably a much smaller dependency graph (lesser usage of transitive dependencies)
vldszn 1 hour ago

=)