alt Hacker NewsThat’s weird, pnpm no longer automatically runs lifecycle scripts like preinstall [1], so unless they were running a very old version of pnpm, shouldn’t they have been protected from Shai-Hulud?
Replies
agilob • last Sunday at 7:14 PM
Let me understand it fully. That means they updated dependencies using old, out of date package manager. If pnpm was up to date, this would no have happened? Sounds totally like their fault then
e40 • last Sunday at 2:55 PM
Yeah, I thought that was the main reason to use pnpm. Very confused.
pverheggen • last Sunday at 3:19 PM
Maybe the project itself had a postinstall script? It doesn't run lifecycle scripts of dependencies, but it still runs project-level ones.
At the end of the article, they talk about how they've since updated to the latest major version of pnpm, which is the one with that change