|
|
|
|
|
|
by Rohansi
29 days ago
|
|
|
> There's a huge difference, because postinstall scripts are almost guaranteed to run in your CI pipeline. Compromised code probably won't (maybe it will if your test cases test a compromised package) You don't need to test a compromised package to have it execute code. Importing it anywhere in your tests is enough, even transitively. It's for sure less likely to run but I doubt it's significantly different in practice. |
|
|