alt Hacker NewsThis is probably the most batshit insane insecure advice I've ever read on Hacker News ever. And everyone is wondering why NPM based attacks are so prevalent? Advice like this is being followed.
Replies
I think you misunderstand the functionality. It doesn't ingnore the diff completely. it just replaces the full contents with "`Binary files differ"
> Use -diff to completely hide the internal file content during a diff. Git will only report `Binary files differ` if the file changes.
Same like you would binary files. It's still good advice to actually review the lockfile changes at some point.
You can also apparently write transformers to make it more human readable.
It’s fine imo, you’ll still see the diffs in PRs before merging, but majority of the time it’s just noise when developing locally. LLM agents also use git diffs frequently, why spend 10x the tokens analyzing package lock diffs instead of actual business logic changes.
Explain the attack that gets mitigated by reading the diff of a lockfile?
Every major npm attack I can think of essentially follows the pattern of "version X.Y.Z is secretly evil". How does seeing [email protected] in your lockfile alert you to that?