bodash's comments

bodash · 2025-11-24T12:50:13 1763988613

I compiled a list of NPM best practices one can adopt to reduce supply chain attack risks (even if there's no perfect security preventions, _always_): https://github.com/bodadotsh/npm-security-best-practices

Discussion on HN last time: https://news.ycombinator.com/item?id=45326754

herpdyderp · 2025-11-24T14:22:27 1763994147

For anyone publishing packages for others to use: please don't pin exact dependency versions. Doing so requires all your users to set "overrides" in their own package.json when your dependencies have vulnerabilities.

btbuildem · 2025-11-24T16:14:01 1764000841

I have a shorter list of NPM best practices:

1. Don't

giantg2 · 2025-11-24T12:52:19 1763988739

Do you know of anything similar for pip?

kernc · 2025-11-24T15:36:23 1763998583

No.1: Run untrusted code in a sandbox! https://github.com/sandbox-utils/sandbox-venv

bodash · 2025-11-24T13:15:54 1763990154

Most of the best practices can be translated to python ecosystem. It’s not exact 1:1 mapping but change few key terms and tools, the underlying practices should be the same.

Or copy that repo’s markdown into an llm and ask it to map to the pip ecosystem

giantg2 · 2025-11-25T00:09:47 1764029387

Yeah, was mostly interested in the tooling.

bodash · 2025-10-31T10:19:59 1761905999

shamless plug but here's a list of things you could follow to mitigate risks from npm: https://github.com/bodadotsh/npm-security-best-practices

bodash · 2025-09-22T09:19:17 1758532757

The lockfile is updated _after_ any new malicious version is downloaded and installed. If we pinned the exact version, `npm install` will _not_ download and execute any new published versions.

That's why we use `npm ci` or `--frozen-lockfile` to install the exactly versions as lockfiles. But, by default, the `^` operator and just `install` command will check registry for any new releases and download them.

The primary arguments against pinning versions are missing security updates and increased maintenance overhead. But given the patterns we've seen, the attackers really _hope_ we automatically install new releases

Rockslide · 2025-09-22T09:26:36 1758533196

npm install does install the exact versions from the lockfile. Even though this misconception gets repeated in every single thread about npm here on hn. npm install will not randomly update your direct dependencies, let alone transitive dependencies.

bodash · 2025-07-15T18:17:14 1752603434

I also built https://lessnews.dev (HN filtered by webdev links)

One decision I had to make was whether the site should update in real time or be curated only. Eventually, I chose the latter because my personal goal is not to read every new link, but to read a few and understand them well.

bodash · 2025-07-10T14:12:42 1752156762

I’ve also been experimenting with a curated webdev related newsfeed based on HN submissions: lessnews.dev The goal is not to keep users on the site. If some dev visit the site once in a while, and finds a link useful, that’s it.

bodash · 2025-03-18T12:50:59 1742302259

Second Tuta. Their feature list might be limited when compared to Proton or Fastmail, but their core email service is solid.

bodash · 2025-03-09T00:08:34 1741478914

Orion on YouTube is unusable at the moment. Click play, ad plays 1 second, disappears but then nothing else plays. Click again, another ad briefly appears and disappears. Have to resort back to Firefox with uBlock Origin just to watch YouTube

fnordsensei · 2025-03-09T09:26:23 1741512383

Yeah, seeing this one too. Is it an Orion or Safari thing though?

bodash · 2025-02-24T19:24:02 1740425042

nicely done, and while we on the topic of doomscrolling, maybe there's a surge of anti-doomscrolling trends coming soon? I know I built lessnews.dev to overcome my urge to mindlessly scroll HN all day.