That's only *half* the story, as I learned yesterday <https://news.ycombinator.c... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		mdaniel 18 days ago \| parent \| context \| favorite \| on: DuckDB NPM packages 1.3.3 and 1.29.2 compromised w... That's only half the story, as I learned yesterday <https://news.ycombinator.com/item?id=45172213> since even with lock files one must change the verb given to npm/yarn to have them honor the lock file So, regrettably, we're back to "train users" and all the pitfalls that entails

3np 18 days ago [–]

More importantly, avoid yarn[0] if you have a choice. They do not have a security posture fitting for 2025. There's way too much assumptions like "helpful" "magic" guessing/inferring what the user "actually wants" to "make things just work". See also: corepack.

[0]: legacy 1.x projects aside

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact