Hacker News new | ask | show | jobs
by brw 272 days ago
Isn't that what lockfiles are for? By default `npm i` downloads exactly the versions specified in your lockfile, and only resolves the latest versions matching the ranges specified in package.json if no lockfile exists. But CI/CD pipelines should definitely be using `npm ci` instead, which will only install packages from a lockfile and throws an error if it doesn't exist.
1 comments
touristtam 272 days ago
That and pin that damn version!
link
AndreasHae 272 days ago
It’s still ridiculous to me that version pinning isn’t the default for npm.

The first thing I do for all of my projects is adding a .npmrc with save-exact=true

link
silverwind 272 days ago
save-exact is mostly useless against such attacks because it only works on direct dependencies.
link
electrotype 271 days ago
Why, though?
link