Comment by smrq
3 hours ago
Explain the attack that gets mitigated by reading the diff of a lockfile?
Every major npm attack I can think of essentially follows the pattern of "version X.Y.Z is secretly evil". How does seeing package@X.Y.Z in your lockfile alert you to that?
No comments yet
Contribute on Hacker News ↗