@hejchristian Yeah, and the biggest issue are transitive dependencies. Just because you didn’t install Axios explicitly, doesn’t mean another package you installed couldn’t have it in its dependencies. So you might be screwed without even knowing it. 😅

The fewer dependencies, the better. A lot of what many packages do can be done rather trivially by yourself or using modern APIs (like Fetch in this case).

If you can, you could also use the --no-scripts flag, however that might not always work.

@hejchristian Dang it, it’s actually the --ignore-scripts flag, but the previous post doesn’t have enough space for the extra characters, so I can’t edit it.

Anyway, with room to elaborate: there’s deps that rely on scripts running pre or post installation. So ignoring them doesn’t always work. What I try to do is keep myself informed about the supply chain attacks and doing due dilligence when choosing deps in the first place, ie ensuring they have as few dependencies as possible of their own.

@amxmln Thanks for the wisdom!

The axios I have here, I didn't explicitly install, they were dependencies.

They're all in 11ty projects though I'm not sure even that's the link - perhaps a plugin I kept using? I'll need to do some digging to understand what was bringing it in.

Axios aside, it's the steps I should take to harden myself against future issues that I need to focus on for sure.

https://www.herodevs.com/blog-posts/the-axios-compromise-what-happened-what-it-means-and-what-you-should-do-right-now#:~:text=If%20You%27re%20Not%20Affected%3A%20Harden%20Anyway

So --ignore-scripts, lockfiles, and pinned deps?