> it’s got me nervous to use Python or Node.js these days My feelings precisely. Min package ag...

rybosome • today at 3:46 AM • 2 replies • view on HN

> it’s got me nervous to use Python or Node.js these days

My feelings precisely. Min package age (supported in uv and all JS package managers) is nice but I still feel extremely hesitant to upgrade my deps or start a new project at the moment.

I don’t think this is going to stabilize any time soon, so figuring out how to handle potentially compromised deps is something we will all need to think about.

Replies

Tazerenix • today at 4:12 AM

NPM only gained minimum package age in February of this year, and still doesn't support package exclusions for internal packages.

https://github.com/npm/cli/pull/8965

https://github.com/npm/cli/issues/8994

Its good that that they finally got there but....

I would be avoiding npm itself on principle in the JS ecosystem. Use a package manager that has a history of actually caring about these issues in a timely manner.

➕ show 1 reply

arcfour • today at 4:57 AM

PNPM makes you approve postinstall scripts instead of running them by default, which helps a lot. Whenever I see a prompt to run a postinstall script, unless I know the package normally has one & what it does, I go look it up before approving it.

(Of course I could still get bitten if one of the packages I trust has its postinstall script replaced.)

➕ show 1 reply

alt Hacker News

Replies