Y
Hacker News
new
|
ask
|
show
|
jobs
by
jffry
2 days ago
The default behavior for the automated "add everything existing to the allowlist" is to include the specific version:
https://docs.npmjs.com/cli/v11/using-npm/config#allow-script...
Together with a lockfile that does achieve "package xyz postinstall allowed with hash <1234>"