|
|
|
|
|
|
by bhedgeoser
1388 days ago
|
|
|
1. There are thousands of dependencies in a usual lockfile. 2. A package author can push something other than the repository contents to npm/ change contents before pushing to npm, making the whole open source thing useless. 3. As someone else pointed out, you can download+exec when an npm package is installed. |
|
|