1 comments

  • benoau an hour ago

    Meat of the advice is pin dependency versions and disable install scripts with "npm config set ignore-scripts true", nothing updates accidentally and nothing runs immediately when updates do happen.

    Also minimum package ages, but it would be surprising if malicious stuff doesn't stay inert for a day or two by now to mitigate that.