ZH version is available. Content is displayed in original English for accuracy.
In light of the ongoing npm supply chain compromises, I built safe-install:
https://www.npmjs.com/package/@gkiely/safe-install
It brings a couple of protections I wanted from npm but are not built in.
Similar to Bun’s trusted dependencies, it lets you disable install scripts by default and define a list of dependencies that are allowed to run build/install scripts:
https://bun.com/docs/guides/install/trusted
It also supports blocking exotic sub-dependencies, similar to pnpm’s `blockExoticSubdeps` setting:
https://gajus.com/blog/3-pnpm-settings-to-protect-yourself-f...
I was hoping npm would eventually add something like this, but it does not seem to be happening soon, so I made a small package for it.
Discussion (1 Comments)Read Original on HackerNews
https://github.com/artifact-keeper
It's currently my favourite package gate keeper - after a few years of self-built jank