Hacker News new | ask | show | jobs
by andrewmcwatters 1620 days ago
Now instead of npm packages abusing SemVer unless you use non-default --save-exact behavior as an attack vector, we can import modules from URLs without subresource integrity unless you use non-default lock file behavior! Great! We learned nothing!
1 comments
Soremwar 1620 days ago
Hence why developers always recommend to use immutable sources when importing modules
link
andrewmcwatters 1620 days ago
The web isn't immutable.
link
Soremwar 1619 days ago
"Immutable" in the sense that packages can't be taken down or modified by authors

If you wanna take it a step further, you can always opt in to that lock file with various degrees of strictness as you yourself mentioned

link