Hacker News new | ask | show | jobs
by joeblubaugh 38 days ago
There has been a lot of pain at my various jobs installing a safe global npm config on every developer machine, asking people not to disable it, checking it with mdm tools. A safer out-of-the-box configuration is long overdue.
2 comments
tkel 38 days ago
Just dont use npm. Use a package manager which doesn't execute postinstall by default. The switch is incredibly simple.
link
joeblubaugh 36 days ago
It’s hard to enforce on developer machines - there are lots of ways to install npm even if you never use it for managing development dependencies.
link
cluckindan 38 days ago
Which package manager is that, and what caveats does it offer?
link
timfsu 38 days ago
Pnpm - installs are faster to boot. We haven’t missed anything
link
ricardo_lien 38 days ago
pnpm
link
10000truths 38 days ago
What do you mean by safe config? If you're trying to mandate a cooldown period or a whitelist/blacklist of packages, the correct approach is to configure a company-controlled registry that pulls from the upstream npm registry while enforcing your desired policies.
link
Macha 37 days ago
Whether the config is the registry URL or the cooldown timer you still need it on your dev machines and people to use tools that use it (the latter is especially a problem with docker in my experience, people find out testcontainers or whatever is pulling from docker hub rather than the company registry only when their CI build fails from rate limits)
link
10000truths 37 days ago
What I'm saying is that the policy should be enforced server-side. So you block the npm registry in the company firewall, and set up a company-specific registry that acts as a blessed proxy to the npm registry but enforces your desired policies. For example, if you configure your registry to refuse to pull packages published less than a week ago, then it doesn't matter if a client disables dependency cooldowns in their npm config - they still won't be able to "npm install totally-new-not-a-virus-pkg".

People can still bypass these measures if they're determined enough (offline package installs, vendoring dependencies, etc.) but making circumvention impossible to do accidentally and inconvenient to do deliberately solves the problem 99% of the way.

link
tkel 38 days ago
Or even just a proxy that can enforce the constraints
link