[apimade]

Here’s a one-liner for node devs on MacOS, pin your versions and manually update your supply chain until your tooling supports supply chain vetting, or at least some level of protection against instantly-updated malicious upstream packages.

Would love to see some default-secure package management / repo options. Even a 24 hour delayed mirror would be better than than what we have today.

find . -name package.json -not -path "/node_modules/" -exec sh -c ' for pkg; do lock="$(dirname "$pkg")/package-lock.json" [ -f "$lock" ] || continue tmp="$(mktemp)" jq --argfile lock "$lock" \ ".dependencies |= with_entries(.value = $lock.dependencies[.key].version) | .devDependencies |= with_entries(.value = $lock.dependencies[.key].version // $lock.devDependencies[.key].version)" \ "$pkg" > "$tmp" && mv "$tmp" "$pkg" done ' sh {} +

[treyd]

The expected secure workflow should not require an elaborate bash incantation, it should be the workflow the tools naturally encourage you to use organically. "You're holding it wrong" cannot be possible.

[madeofpalk]

? Package lock files from npm/yarn/pnpm automatically lock all your dependencies (including transitive deps)

What does this actually achieve?

[apimade]

Accidentally installing a malicious package in your dev environment, the concern isn’t “what’s already installed”, it’s what’s potentially going to be installed in the future by you or your colleagues.

So, you pin the version and update periodically when security issues arise in your dependencies.

[user34283]

Maybe the same as if "npm config set save-exact true" was enabled when adding the dependencies.

Whether that's so important, I'm not sure.

[simonw]

You can indent every line of a code block on Hacker News by two spaces to have it render as code.

  This is indented
  By two spaces