I'm curious to hear what steps everyone has taken since the SHA1 Hulud incident, regardless of whether you were directly affected. I'm particularly interested in the long-term effects on the NPM ecosystem and how these might influence package management in general.
Personally, we've decided to switch from npm to pnpm v10 since it disables dependency lifecycle scripts by default. Additionally, we're implementing a "minimum release age" policy to help protect against compromised packages from the registry.
1 Answer
I've cut back on the number of packages I'm using. Even if you're only using a few direct packages, they can have a ton of nested dependencies that pose risks. Simplifying your dependencies is a solid way to boost security. Plus, switching to pnpm makes it really easy to enforce that.
Exactly! It's crazy how just a single line in the configuration can really help mitigate risks. While it's not a complete shield against supply chain attacks, it certainly makes a big difference.