Meat of the advice is pin dependency versions and disable install scripts with "npm config set ignore-scripts true", nothing updates accidentally and nothing runs immediately when updates do happen.
Also minimum package ages, but it would be surprising if malicious stuff doesn't stay inert for a day or two by now to mitigate that.
1 comment
[ 3.2 ms ] story [ 15.3 ms ] threadAlso minimum package ages, but it would be surprising if malicious stuff doesn't stay inert for a day or two by now to mitigate that.