NPM only gained minimum package age in February of this year , and still doesn't s...

Tazerenix • today at 4:12 AM • 1 reply • view on HN

NPM only gained minimum package age in February of this year, and still doesn't support package exclusions for internal packages.

https://github.com/npm/cli/pull/8965

https://github.com/npm/cli/issues/8994

Its good that that they finally got there but....

I would be avoiding npm itself on principle in the JS ecosystem. Use a package manager that has a history of actually caring about these issues in a timely manner.

Replies

jadar • today at 2:27 PM

It almost doesn't matter, because you can get pwned by a transitive dependency. If someone doesn't have the same scruples as you have, you're still at risk.

alt Hacker News

Replies