Yeah, it's called pinning. When you use yarn or npm, they generate a lock file t... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		striking on Oct 4, 2020 \| parent \| context \| favorite \| on: A web of trust for NPM Yeah, it's called pinning. When you use yarn or npm, they generate a lock file that pins the exact state of your downloaded set of node modules, so you can't accidentally download a different set of artifacts that might be poisoned. As for "but what if they hide it?" that's just a problem with compilers. A very "Reflections on Trusting Trust" sort of thing. I'm usually a few versions behind, so if anything like that were to exist it would have been caught by someone else.

johnisgood on Oct 5, 2020 [–]

For people who may want to read more about the " Reflections on Trusting Trust": https://www.win.tue.nl/~aeb/linux/hh/thompson/trust.html and https://wiki.c2.com/?TheKenThompsonHack.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact