←back to thread

Malicious versions of Nx and some supporting plugins were published

(github.com)
441 points longcat | 1 comments | 27 Aug 25 01:38 UTC | HN request time: 0.001s | source
Show context
inbx0 ◴[27 Aug 25 14:33 UTC] No.45040282[source]
Periodic reminder to disable npm install scripts.

    npm config set ignore-scripts true [--global]
It's easy to do both at project level and globally, and these days there are quite few legit packages that don't work without them. For those that don't, you can create a separate installation script to your project that cds into that folder and runs their install-script.

I know this isn't a silver bullet solution to supply chain attakcs, but, so far it has been effective against many attacks through npm.

https://docs.npmjs.com/cli/v8/commands/npm-config

replies(17): >>45040489 #>>45041292 #>>45041798 #>>45041820 #>>45041840 #>>45042872 #>>45043977 #>>45045311 #>>45045447 #>>45045979 #>>45046082 #>>45046981 #>>45047430 #>>45047994 #>>45049197 #>>45049793 #>>45050820 #
tiagod ◴[27 Aug 25 14:48 UTC] No.45040489[source]
Or use pnpm. The latest versions have all dependency lifecycle scripts ignored by default. You must whitelist each package.
replies(3): >>45040822 #>>45041469 #>>45049075 #
chrisweekly ◴[27 Aug 25 15:11 UTC] No.45040822[source]
pnpm is not only more secure, it's also faster, more efficient wrt disk usage, and more deterministic by design.
replies(1): >>45041523 #
norskeld ◴[27 Aug 25 16:06 UTC] No.45041523[source]
It also has catalogs feature for defining versions or version ranges as reusable constants that you can reference in workspace packages. It was almost the only reason (besides speed) I switched a year ago from npm and never looked back.
replies(1): >>45043771 #
mirekrusin ◴[27 Aug 25 19:13 UTC] No.45043771[source]
workspace protocol in monorepo is also great, we're using it a lot.
replies(1): >>45044359 #
dvfjsdhgfv ◴[27 Aug 25 19:56 UTC] No.45044359[source]
OK so it seems too good now, what are the downsides?
replies(5): >>45044388 #>>45045456 #>>45046645 #>>45049226 #>>45050575 #
TheRoque ◴[27 Aug 25 23:40 UTC] No.45046645{5}[source]
Personally, I didn't find a way to create one docker image for each of my project (in a pnpm monorepo) in an efficient way
replies(1): >>45047451 #
1. no_wizard ◴[28 Aug 25 01:54 UTC] No.45047451{6}[source]
That’s not really a pnpm problem on the face of it