Comment by homebrewer

Comment by homebrewer 19 hours ago

pnpm does all that on top of node. Also disables postinstall scripts by default, making the recent security incidents we've seen a non-issue.

junon 17 hours ago

As the victim of the larger pre-Shai-Hulud attack, unfortunately the install script validation wouldn't have protected you. Also, if you already have an infected package on the whitelist, a new infection in the install script will still affect you.

Reply View 0 replies

antihero 18 hours ago

I’m not sure why but bun still feels snappier.

Reply View 2 replies

B56b 18 hours ago

This is why: https://bun.com/blog/behind-the-scenes-of-bun-install

Reply View | 0 replies
babyshake 17 hours ago

Aside from speed, what would the major selling points be on migrating from pnpm to bun?

Reply View | 0 replies

daheza 18 hours ago

Are there any popular packages that require postinstall scripts that this hurts?

Reply View 0 replies

replete 14 hours ago

A whitelist in package.json is only a partial assist

Reply View 0 replies