headless horsefacts pfp
headless horsefacts
@horsefacts.eth
summary of today's NPM compromise, vulnerable package versions, and action items for devs here, from @andrewmohawk at Privy. if your app uses NPM (includes mini apps), please check your dependencies. https://x.com/AndrewMohawk/status/1965116722375209305 https://x.com/AndrewMohawk/status/1965117607750881561
11 replies
20 recasts
78 reactions

Matt pfp
Matt
@mattlee
Does using a different package manager than NPM help avoid things like this? I've heard bun is more secure
1 reply
0 recast
0 reaction

dylan pfp
dylan
@dylsteck.eth
i need to look into this a bit more for more context but if it's an issue at the package level it might persist regardless of which package manager you use(npm, pnpm, yarn, bun etc)
1 reply
0 recast
0 reaction

Kasra Rahjerdi pfp
Kasra Rahjerdi
@jc4p
it’s a global package manager issue but there’s many options like pinning versions manually or using npm ci or etc — in theory the only people who installed it were ones setting up new projects so installing from scratch not from a lock file
1 reply
0 recast
2 reactions