[general_reveal]

That’s why I switched to Java.

[Rp8yXmdmr]

You are absolutely right. The dangerous part of NPM packages is the post-install script. Therefore moving from JavaScript to Java removes the threat.

[OrangeMusic]

You joke but, yeah, when you think about it, the problem with Javascript is the 'script' part. That's actually correct.

[keyle]

    AbstractFinalFactoryShaiHuludSerialisedFactory

[exabrial]

https://dayssincelastjavascriptframework.com

[general_reveal]

Yeah but you don’t have to use that I think. I think us Node people can just pretend to write Ecmascript 2 in Java and be fine.

[UqWBcuFx6NV4r]

…. lol

[mschuster91]

Meh maven plugins are just as juicy a target as npm is

[exabrial]

https://github.com/s4u/pgpverify-maven-plugin

If you want paranoid mode, you can verify literally every part of the maven build process.

[general_reveal]

What do u recommend?