Great article by @lirantal here: "npm security best practices"
Some of the ideas there might be a great addition to our guide, we may include with Credit, what do you think @js-kyle ?
Amazing work! Yes definitely
I'd be happy if you include credits and reference to the cheat sheet ;-)
@js-kyle if something is unclear or you'd want to consult more you're welcome to tag me
I think 3.Minimize attack surfaces by ignoring run-scripts would be good to add here
@lirantal Wouldn't this (ignore run-scripts) break some packages that rely on scripts?
@js-kyle Maybe bullet number 1 (use .npmignore or files) is less controversial?
@lirantal Wouldn't this (ignore run-scripts) break some packages that rely on scripts?
Yep, and at the same time protect you from evil execution in install phases.
Hello there! 👋
This issue has gone silent. Eerily silent. ⏳
We currently close issues after 100 days of inactivity. It has been 90 days since the last update here.
If needed, you can keep it open by replying here.
Thanks for being a part of the Node.js Best Practices community! 💚
Most helpful comment
I'd be happy if you include credits and reference to the cheat sheet ;-)
@js-kyle if something is unclear or you'd want to consult more you're welcome to tag me