|
|
|
|
|
|
by arcatek
2748 days ago
|
|
|
Worth noting that the principle of "a package can only access the dependencies it declared" is already something that we (Yarn) are pushing through Plug'n'Play. We're not focused on security (yet), but any help we can get to move the ecosystem towards a stricter model will help you in the long term (by ensuring that common tools will be compatible with the even stricter model you're advocating). [1] https://github.com/yarnpkg/rfcs/pull/101 |
|
|