yossarianoh, you care about open source security? please run npm install -g on this completely opaque tool with 500 dependencies. don’t worry, we automerge every single dependency bump on our side for Maximum Security.
Andrew Nesbitt@yossarian tired: cooldowns, wired: npx
@andrewnez it might actually be good if tools required you to set `JUST_FUCK_MY_SHIT_UP=1` before running the “execute arbitrary code directly from the Internet with no guardrails” command
@andrewnez (non professional opinion)
@yossarian one simple trick, security folks hate this
Christoph Reiteryou probably know, but
npm config set --location user min-release-age 3
npm config set --location user ignore-scripts true
also affects "npx" and "npm install -g"
Julian Hofer@yossarian what is the alternative these days? Since Linux userspace is now broken on a regular basis, I assume VMs?