[arcfour]

PNPM makes you approve postinstall scripts instead of running them by default, which helps a lot. Whenever I see a prompt to run a postinstall script, unless I know the package normally has one & what it does, I go look it up before approving it.

(Of course I could still get bitten if one of the packages I trust has its postinstall script replaced.)

[erikerikson]

How does this stance work with your CICD?

[jadar]

I suppose you would have to commit your node_modules, or otherwise cache your setup so that all prerequesite modules are built and ready to install without running post-install scripts?