Mastodawn

RE: https://mastodon.social/@sitnik_en/115730334234115554

At Evil Martians, we take supply chain attacks seriously. Postinstall scripts are the weakest link in npm security, and the fix is almost embarrassingly simple.

Here's a guide to increase JS app security from one of @sitnik_en's recent projects:

Show thread

james_exe Dec 17

@evilmartians @sitnik_en better yet: use pnpm and allow-list your post installs https://pnpm.io/9.x/package_json#pnpmonlybuiltdependencies

package.json | pnpm

The manifest file of a package. It contains all the package's metadata,