[vitaliyf]

You run a private NPM mirror where you copy dependencies that you rely on, after auditing them (for code quality and licensing).

[fareesh]

Realistically if someone were to sneak something in, what kind of audit would you need to be able to catch it?

[StavrosK]

Wouldn't just pinning the hash of a package be a better solution?

[tomjakubowski]

That’s probably fine from the security perspective, but the hash won’t make the package re-appear if it disappears out of nowhere. That’s the other benefit of a private/on-premesis mirror.

[StavrosK]

True. I work with PyPI and it's been extremely solid for years, so we tend to just not consider this a problem at all. Pipenv stores hashes for each package version as well, so you get the security aspect built in.

Pipenv has pretty much fixed Python packaging/dependencies, in my opinion. It's the all-in-one tool I've always wanted. If you do any Python work, try it, it's great.

[eitland]

Yarn caches locally, doesn't it?

[the_duke]

Easiest solution without infrastructure imo is to vendor node_modules as a git submodule.

(Of course it's even easier to just add node_modules to the repo but that is messy).

[aabbcc1241]

and you better fork the git repo, otherwise the incident happening to npm can happen on github / whatever remote repo.

[chris_7]

I don't know JS, but this sounds like a lot more work than just checking everything into your repo?

[weinzierl]

This, or if you have the money there are companies that do that for you.