←back to thread

Malicious versions of Nx and some supporting plugins were published

(github.com)
441 points longcat | 2 comments | 27 Aug 25 01:38 UTC | HN request time: 0s | source
Show context
tln ◴[27 Aug 25 15:29 UTC] No.45041050[source]
How can we stop having post-install scripts with such access?

Can I turn off those post install scripts globally?

Are there alternatives to npm that do a better job here?

replies(1): >>45041827 #
1. ryanto ◴[27 Aug 25 16:30 UTC] No.45041827[source]
You can use pnpm, which forces you to approve the install scripts you want to run.
replies(1): >>45042281 #
2. ireadmevs ◴[27 Aug 25 17:09 UTC] No.45042281[source]
Do you approve on every update of the package? Do they offer a way to quickly review what’s going to run and what has changed since the last approval? Otherwise it’s just like another checkbox of “I confirm I read the terms and conditions”