alt Hacker NewsBun added `trustedDependencies` [1] to package.json and only executes postInstall scripts coming from these dependencies. I think this is something that should be supported across all JS package managers, even more than version cooldowns.
Replies
alpaca128 • today at 12:52 AM
How can you know that a dependency you trust won't be hacked? At best it slightly reduces the risk, but it's not even close to the effectiveness of version cooldowns that just block 100% of fresh updates.
jazzypants • yesterday at 11:48 PM
Can you help me understand why one would ever need a post-install script in the first place, please?
➕ show 3 replies
That's security theater. The package can still run arbitrary code the moment it's actually used.