Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The note offers this workaround for npm: "Use npm shrinkwrap to lock down your dependencies", which will prevent the worm from spreading purely because of an install of a checked out app.

Any application package manager with a lockfile-based-workflow (like Bundler, Cocoapods, Cargo, etc.) would at least have this mitigation as a default part of the workflow.



shrinkwrap might work for a bit. but if you regenerate the file you will run into the same issue.

a way to protect you 100% against the problem is to define your dependency as a link to a specific commit or tarball.


Or a specific version since they can't be written to twice in the npm repo.


According to https://news.ycombinator.com/item?id=11341142 , in at least one case, now, this is not true.


Except the exact same code was republished, so the point still stands.


This time




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: