Interesting has a 24hr cooldown before trusting package updates and a no-trust option for trusting downgrades given all the npm hacks and issues lately, smart move. I wonder if there's better ways to protect against this.
Same here; I hope the vulnerability discovery process evolves from "letting somebody else find out first". There are tons of vendors that scan the ecosystem, but I'd love something that works automatically at the point of install
Interesting has a 24hr cooldown before trusting package updates and a no-trust option for trusting downgrades given all the npm hacks and issues lately, smart move. I wonder if there's better ways to protect against this.
Same here; I hope the vulnerability discovery process evolves from "letting somebody else find out first". There are tons of vendors that scan the ecosystem, but I'd love something that works automatically at the point of install
appears vibecoded which doesn't give me confidence, still interesting though.
pnpm has also moved a few of its components from javascript to rust in its latest release