logoalt Hacker News

ef2kyesterday at 7:52 PM2 repliesview on HN

The issue was a compromised build pipeline that shipped a poisoned package.

But PSA: If something is critical to the business and you’re using npm, pin your dependencies. I’ve had this debate with other devs throughout the years and they usually point to the lockfile as assurance, but version ranges with a ^ mean that when the lockfile gets updated, you can pull in newer versions you didn’t explicitly choose.

If what you're building can put your company out of business it's worth the hassle.

Replies

jbverschoortoday at 6:07 AM

This is one reason why we have lock files / version pinning

fragmedeyesterday at 9:25 PM

But it goes the other way too. If there's a security vulnerability that was fixed in a later version, you want the system to automatically pick that up and apply it for you in an ideal scenario.

show 4 replies