npm Shrinkwrap reloaded: Locking npm Deps with Package-Lock and Yarn.Lock
8y agoen
Source
Locking or “pinning” dependencies is a widespread best practice in Ruby, Python, and other ecosystems. In Node.js locking was much less widespread, until recently, thanks to the improvements provided by package-lock.json and yarn.lock. This post discusses how each of these solutions works and why you may want to use them.
You might also wanna read
DepsGuard: Open-source Rust tool to harden package manager configs against supply chain attacks
DepsGuard is an open-source Rust tool (single static binary, zero Rust crate dependencies) that hardens package manager configurations again

Bun's new text-based lockfile
bun.com·1y ago
NPM Security Best Practices Guide for Preventing Supply Chain Attacks
This GitHub repository provides comprehensive security best practices for NPM (Node Package Manager) to protect against supply chain attacks
NPM Vulnerability Allows 126 Malicious Packages to Be Downloaded 86,000+ Times
Security researchers have discovered a major vulnerability in NPM (Node Package Manager) that allows attackers to distribute malicious packa
arstechnica.com·8mo ago
Bun v1.1.39
bun.com·1y ago
Popular npm packages debug and chalk compromised with crypto-intercepting malware
Starting September 8th, 2023, the popular npm packages "debug" and "chalk" were compromised with malicious code. These packages, which colle
aikido.dev·10mo ago
Comments
Sign in to join the conversation.
No comments yet. Be the first.