Comment by lloydatkinson
12 hours ago
This is probably the most batshit insane insecure advice I've ever read on Hacker News ever. And everyone is wondering why NPM based attacks are so prevalent? Advice like this is being followed.
12 hours ago
This is probably the most batshit insane insecure advice I've ever read on Hacker News ever. And everyone is wondering why NPM based attacks are so prevalent? Advice like this is being followed.
Explain the attack that gets mitigated by reading the diff of a lockfile?
Every major npm attack I can think of essentially follows the pattern of "version X.Y.Z is secretly evil". How does seeing package@X.Y.Z in your lockfile alert you to that?
I think you misunderstand the functionality. It doesn't ingnore the diff completely. it just replaces the full contents with "`Binary files differ"
> Use -diff to completely hide the internal file content during a diff. Git will only report `Binary files differ` if the file changes.
Same like you would binary files. It's still good advice to actually review the lockfile changes at some point.
You can also apparently write transformers to make it more human readable.
It’s fine imo, you’ll still see the diffs in PRs before merging, but majority of the time it’s just noise when developing locally. LLM agents also use git diffs frequently, why spend 10x the tokens analyzing package lock diffs instead of actual business logic changes.