body { -ms-overflow-style: scrollbar; overflow-y: scroll; overscroll-behavior-y: none; } .errorContainer { background-color: #FFF; color: #0F1419; max-width: 600px; margin: 0 auto; padding: 10%; font-family: Helvetica, sans-serif; font-size: 16px; } .errorButton { margin: 3em 0; } .errorButton a { background: #1DA1F2; border-radius: 2.5em; color: white; padding: 1em 2em; text-decoration: none; } .errorButton a:hover, .errorButton a:focus { background: rgb(26, 145, 218); } .errorFooter { color: #657786; font-size: 80%; line-height: 1.5; padding: 1em 0; } .errorFooter a, .errorFooter a:visited { color: #657786; text-decoration: none; padding-right: 1em; } .errorFooter a:hover, .errorFooter a:active { text-decoration: underline; } #placeholder, #react-root { display: none !important; } body { background-color: #FFF !important; }

JavaScript is not available.

We’ve detected that JavaScript is disabled in this browser. Please enable JavaScript or switch to a supported browser to continue using twitter.com. You can see a list of supported browsers in our Help Center.

Terms of Service Privacy Policy Cookie Policy Imprint Ads info © 2023 Twitter, Inc.

Conversation

Guillermo Rauch

Impressed with

's npm RFC and the positive positive support it's accrued so far. My take: this grants the npm ecosystem… ✅ Improved security ✅ Faster installs ✅ Improved cacheability & reproducibility ✅ Better cross-platform support github.com/npm/rfcs/pull/

5:06 PM · Nov 6, 2021

Replying to

and

I don’t think it will solve the security problem, just make it a bit harder for attackers to exploit. I think it would provide a better experience for developers anyway for all the other reasons.

1

13

Guillermo Rauch

Replying to

and

Security is not solved. It’s a spectrum. Furthermore, not all npm installations lead to direct `node` evaluation, which is the common objection I’m hearing (“just hide the payload in the source instead”)

3

1

12

Show replies

Replying to

and

I'm glad that someone took it upon themselves to put forth a solution to address these. However I am sad that we had to wait for new incidents to happen for these issues to be taken seriously. FWIW Yarn 2+ addresses all of them, but people have been dismissive of it.

1

2