Hacker News new | ask | show | jobs
by wycats 3732 days ago
The note offers this workaround for npm: "Use npm shrinkwrap to lock down your dependencies", which will prevent the worm from spreading purely because of an install of a checked out app.

Any application package manager with a lockfile-based-workflow (like Bundler, Cocoapods, Cargo, etc.) would at least have this mitigation as a default part of the workflow.
1 comments
badminton1 3732 days ago
shrinkwrap might work for a bit. but if you regenerate the file you will run into the same issue.

a way to protect you 100% against the problem is to define your dependency as a link to a specific commit or tarball.

link
dclowd9901 3732 days ago
Or a specific version since they can't be written to twice in the npm repo.
link
JdeBP 3732 days ago
According to https://news.ycombinator.com/item?id=11341142 , in at least one case, now, this is not true.
link
McP 3731 days ago
Except the exact same code was republished, so the point still stands.
link
drunkcatsdgaf 3731 days ago
This time
link