Salta al contenuto principale

mastodon - Collegamento all'originale

That Shai-Hulud npm worm has now reached 500 packages: socket.dev/blog/ongoing-supply…

Also, doesn't seem to run on Windows (via Step Security)

reshared this

in reply to Catalin Cimpanu

Matt Palmer
mastodon - Collegamento all'originale
Matt Palmer
that's a pretty sick burn against Microsoft, that so few developers use it that it isn't worth the effort to get your worm to run on it.
in reply to Catalin Cimpanu

Zeph!
mastodon - Collegamento all'originale
Zeph!

I'm advising developers to disable postinstall scripts by default, there are a couple of ways of doing this but you can set up an allowlist with yarn like so:
# .yarnrc.yml
enableScripts: false

# Allowlist for specific packages that need scripts to function
packageExtensions:
# Example: A native module that needs a build script
"node-sass@*":
enableScripts: true