←back to thread

Malicious versions of Nx and some supporting plugins were published

(github.com)
441 points longcat | 1 comments | 27 Aug 25 01:38 UTC | HN request time: 0.204s | source
Show context
emmanueloga_ ◴[27 Aug 25 19:30 UTC] No.45043976[source]
I wonder if anyone use https://verdaccio.org/ to vendor packages?

In theory for each package one could:

* npm install pkg

* npm pack pkg

* npm publish --registry=https://verdaccio.company.com

* set .npmrc to "registry=https://verdaccio.company.com/ when working with the actual app.

...this way, one could vet packages one by one. The main caveat I see is that it’s very inconvenient to have to vet and publish each package manually.

It would be great if Verdaccio had a UI to make this easier, for example, showing packages that were attempted to install but not yet vetted, and then allowing approval with a single click.

replies(1): >>45045555 #
1. emmanueloga_ ◴[27 Aug 25 21:31 UTC] No.45045555[source]
I just found that someone posted a showHN for an utility to solve this issue [1].

I think this reinforces the idea that is something that could be built into verdaccio.

--

1: https://news.ycombinator.com/item?id=44891786