Hacker News new | ask | show | jobs
by dachris 212 days ago
You'd be surprised how many people run 'npm i' in their CI. I've seen this on multiple occasions.

'npm ci' is some mitigation, but doesn't protect against getting hit when running 'npm i(nstall)' during development.
1 comments
cluckindan 209 days ago
Update your knowledge. ”npm install” hasn’t done auto-upgrades for years now.
link