[tiagod]

Or use pnpm. The latest versions have all dependency lifecycle scripts ignored by default. You must whitelist each package.

[chrisweekly]

pnpm is not only more secure, it's also faster, more efficient wrt disk usage, and more deterministic by design.

[norskeld]

It also has catalogs feature for defining versions or version ranges as reusable constants that you can reference in workspace packages. It was almost the only reason (besides speed) I switched a year ago from npm and never looked back.

[mirekrusin]

workspace protocol in monorepo is also great, we're using it a lot.

[dvfjsdhgfv]

OK so it seems too good now, what are the downsides?

[c-hendricks]

If you relied on hoisting of transitive dependencies, you'll now have to declare that fact in a project's .npmrc

Small price to pay for all the advantages already listed.

[no_wizard]

They’re moving all that to the pnpm-workspace.yaml file now

[nawgz]

‘pnpm’ is great, swapped to it a year ago after yarn 1->4 looked like a new project every version and npm had an insane dependency resolution issue for platform specific packages

pnpm had good docs and was easy to put in place. Recommend

[Nathanba]

A few years ago it didn't work in all cases when npm did. It made me stop using it because I didn't want to constantly check with two tools. The speed boost is nice but I don't need to npm install that often.

[mirekrusin]

Downside is that you have to add "p" in front, ie. instead of "npm" you have to type "pnpm". That's all that I'm aware of.

[TheRoque]

Personally, I didn't find a way to create one docker image for each of my project (in a pnpm monorepo) in an efficient way

[no_wizard]

That’s not really a pnpm problem on the face of it

[trw55]

Same for bun, which I find faster than pnpm

[silverwind]

Bun still executes the scripts of a certain hardcoded list of 500 packages, it's not exactly the same.

[jim201]

This is the way. It’s a pain to manually disable the checks, but certainly better than becoming victim to an attack like this.