|
|
|
|
|
|
by apf6
38 days ago
|
|
|
The time difference does matter though. There were some recent worm attacks in NPM that spread very quickly because they used post-install. I don’t remember how long it took NPM to block the packages but it was probably around 30 minutes or so? If it wasn’t for post-install then that same attack would have a much slower spread and thus a smaller blast radius. |
|
|
How often do you run "npm install" just for the fun of it, without actively working on the codebase?
IME 99% of the time the time between "npm install" and some form of execution that pulls in dependencies is less than 30 seconds.