|
|
|
|
|
|
by jschrf
1679 days ago
|
|
|
Thanks. I was thinking of a CI step that checked the SHA-256 of yarn.lock against a "last known good" value committed by an authorized committer and enforced by a branch policy. Signed audit logs seem like a good idea. Now...how to get developers to avoid using NPM and Yarn altogether on sensitive projects... |
|
|