Comment by kalcode

> but NPM makes it dangerous to merely open a project up in an IDE.

It does not. Opening a project in an IDE has always been dangerous because there are about a thousand language server and analysis tools that run in the background. This is why IDEs ask you whether you trust the contents of a repository.

An even if some automated background execution initiated by the IDE doesn't get you, running `npm run test` 15 seconds later will.

It is the same for Crates.io and PyPI they also supply scripts without asking the user so opening an IDE will run them. For PyPI you need to even execute scripts to discover the dependencies!

That's a good point. For me it's getting people to realize they need to take up practice that help minimize these things. It's kinda us and them problem.

We need to ensure we don't just blindly install the latest, patch every CVE by just bumping everything to the latest even if the vulnerability has nothing to do with their system or use of said library.

We should have rules that we install the latest that's older than three days.

We should be running "npm audit" and other stuff like Trivy.

The three day rule alone could save most people.

nuget have targets, and allow to run code on build, it doesn't have this problem because there is less dependencies.

Pip, Composer, RubyGems, NuGet, and several others have lifecycle scripts.

As of course do the OS managers -- apt, yum, Homebrew.

Almost all of them.