From pnpm's Cool Feature to npm's Life jacket: The (somewhat accidental) birth of age-install
The article describes the accidental creation of a tool called age-install, inspired by a pnpm feature that delays installation of recently published npm packages to mitigate supply chain attacks. The developer built a prototype to bring similar safety to npm, despite challenges like version resolution, scoped packages, and API rate limits. The tool addresses a security gap many assume already exists in npm.
- ▪pnpm introduced a feature to delay updates of recently published dependencies to reduce supply chain attack risks.
- ▪The age-install tool was created to replicate this safety mechanism for npm users.
- ▪Challenges in development included handling semver ranges, parsing scoped packages correctly, and managing npm registry rate limits.
- ▪The tool allows configurable exclusions for trusted packages like Babel, Webpack, and TypeScript types.
- ▪Many developers assumed such a security feature was already built into npm by default.
Opening excerpt (first ~120 words) tap to expand
try { if(localStorage) { let currentUser = localStorage.getItem('current_user'); if (currentUser) { currentUser = JSON.parse(currentUser); if (currentUser.id === 3780619) { document.getElementById('article-show-container').classList.add('current-user-is-article-author'); } } } } catch (e) { console.error(e); } CinfiniteDev Posted on May 16 From pnpm's Cool Feature to npm's Life jacket: The (somewhat accidental) birth of age-install #npm #javascript #security #softwareengineering From pnpm's Cool Feature to npm's Life jacket: The (somewhat accidental) birth of age-install Or: How I built a tool nobody asked for, everyone needs, and should've made years ago It started with a blog post (as these things do) I was procrastinating—er, researching—when I stumbled across pnpm's release notes for…
Excerpt limited to ~120 words for fair-use compliance. The full article is at DEV.to (Top).
Discussion
0 commentsMore from DEV.to (Top)
