You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I came across this issue on the npm repo, which was about mitigating the risk of adding a compromised dependency to your project by installing the very latest version of a package.
The idea is to introduce some kind of "cool off" period before fetching a new package (eg: one or two weeks), so that the risk of downloading malicious code that is not yet known of yarn audit is reduced.
npm seems to have a "--before" flag that could be used for this purpose. What does yarn have to offer?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hey,
I came across this issue on the npm repo, which was about mitigating the risk of adding a compromised dependency to your project by installing the very latest version of a package.
The idea is to introduce some kind of "cool off" period before fetching a new package (eg: one or two weeks), so that the risk of downloading malicious code that is not yet known of
yarn auditis reduced.npm seems to have a "--before" flag that could be used for this purpose. What does yarn have to offer?
Beta Was this translation helpful? Give feedback.
All reactions