alt Hacker Newspnpm does all that on top of node. Also disables postinstall scripts by default, making the recent security incidents we've seen a non-issue.
Replies
daheza • today at 7:31 PM
Are there any popular packages that require postinstall scripts that this hurts?
As the victim of the larger pre-Shai-Hulud attack, unfortunately the install script validation wouldn't have protected you. Also, if you already have an infected package on the whitelist, a new infection in the install script will still affect you.