Login

u/root0ps

▲ 40 r/nextjs+4 crossposts

pnpm 11 Might Finally Be a Better Default Than npm

pnpm 11 feels like the first Node.js package manager update in a while that actually improves supply chain security by default.

Features like:

  • minimumReleaseAge
  • blockExoticSubdeps
  • allowBuilds

directly reduce the risk of malicious package installs in CI/CD pipelines.

I wrote a short deep dive on why I think pnpm is now a better default than npm for production workloads.

Curious what others here are using in production today.

blog.prateekjain.dev
u/root0ps — 13 hours ago
▲ 2 r/devsecops

pnpm 11 Might Finally Be a Better Default Than npm

pnpm 11 feels like the first Node.js package manager update in a while that actually improves supply chain security by default.

Features like:

  • minimumReleaseAge
  • blockExoticSubdeps
  • allowBuilds

directly reduce the risk of malicious package installs in CI/CD pipelines.

I wrote a short deep dive on why I think pnpm is now a better default than npm for production workloads.

Curious what others here are using in production today.

https://blog.prateekjain.dev/you-should-move-to-pnpm-from-npm-now-6e84b6cc7778?sk=fe3913487a067decbc069234e4e2ad1f

reddit.com
u/root0ps — 17 hours ago
▲ 13 r/devsecops+2 crossposts

With everything that's happened recently, the Axios npm account hijack, LiteLLM getting poisoned on PyPI, and that coordinated npm/PyPI/Docker Hub campaign in April, I finally stopped manually running npm audit and set up something proper.

Been running Dependency-Track for a few weeks now. It's an OWASP open source project that works differently from the usual scanners, you upload an SBOM for each project and it continuously monitors against NVD, OSS Index, GitHub Advisories, and more. New CVE drops affecting your stack? You get notified without doing anything.

Wrote up how I set it up on Hetzner with Docker, Traefik for HTTPS, and GitHub Actions to auto-generate and upload SBOMs on every push

u/root0ps — 23 days ago