It’s still ridiculous to me that version pinning isn’t the default for npm. The ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		AndreasHae 5 months ago \| parent \| context \| favorite \| on: Shai-Hulud malware attack: Tinycolor and over 40 N... It’s still ridiculous to me that version pinning isn’t the default for npm. The first thing I do for all of my projects is adding a .npmrc with save-exact=true

silverwind 5 months ago [–]

save-exact is mostly useless against such attacks because it only works on direct dependencies.

electrotype 5 months ago | [–]

Why, though?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact