Hacker News new | ask | show | jobs
by benoau 204 days ago
Or just 'npm ci' so you install exactly what's in your package-lock.json instead of the latest version bumps of those packages. This "automatic updating" is a big factor in why these attacks are working in the first place. Make package updating deliberate instead of instant or on an arbitrary lag.
2 comments
dachris 203 days ago
You'd be surprised how many people run 'npm i' in their CI. I've seen this on multiple occasions.

'npm ci' is some mitigation, but doesn't protect against getting hit when running 'npm i(nstall)' during development.

link
cluckindan 201 days ago
Update your knowledge. ”npm install” hasn’t done auto-upgrades for years now.
link
cluckindan 201 days ago
”npm install” does not auto-upgrade packages, it installs them according to the lockfile.

It didn’t always work like that, but it has worked like that for many years.

link