Hacker News new | ask | show | jobs
by mirekrusin 268 days ago
name + version are immutable, you can't republish packages in npm under existing version.

you can only unpublish.

content hash integrity is verified in lockfiles.

the problem is with dependencies using semver ranges, especially wide ones like "debug": "*"

initiatives like provenance statements [0] / code signing are also good complement to delayed dependency updates.

also not running as default / whitelisting postinstall scripts is good default in pnpm.

modifying (especially adding) keys in npmjs.org should be behind dedicated 2fa (as well as changing 2fa)

[0] https://docs.npmjs.com/generating-provenance-statements
1 comments
__MatrixMan__ 268 days ago
Those are promises that npm intends to keep, but whether they do or not isn't something that you as a package user can verify. Plus there's also the possibility that the server you got those bits from was merely masquerading as npm.

The only immutability that counts is immutability that you can verify, which brings us back to cryptographic hashes.

link
mirekrusin 268 days ago
...which are already present in lockfiles, available in registry ie. https://registry.npmjs.org/debug etc. - it's not a problem.
link