1 comment

[ 3.2 ms ] story [ 15.3 ms ] thread
Meat of the advice is pin dependency versions and disable install scripts with "npm config set ignore-scripts true", nothing updates accidentally and nothing runs immediately when updates do happen.

Also minimum package ages, but it would be surprising if malicious stuff doesn't stay inert for a day or two by now to mitigate that.