Is there an easy tool maybe something for ${bundler} to take your package.json a... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

getcrunk on May 10, 2022 | parent | context | favorite | on: NPM Vulnerability Discussion on Twitter

Is there an easy tool maybe something for ${bundler} to take your package.json and rewrite everything to refer to static versions hosted on your own cdn?

At least that way upgrades, malicious or otherwise are opt in for production

The other thing would be ideally a crowd funded resource to vet particular versions of popular packages.

TAForObvReasons on May 10, 2022 [–]

For NPM use https://verdaccio.org/ . It can proxy the public registry. Install your project and it will pull and cache the dependencies. Once cached you can remove the uplink and it will only serve the cached version

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact