undefined | Better HN

0 pointshomebrewer6mo ago0 comments

pnpm does all that on top of node. Also disables postinstall scripts by default, making the recent security incidents we've seen a non-issue.

0 pointshomebrewer6mo ago0 comments

pnpm does all that on top of node. Also disables postinstall scripts by default, making the recent security incidents we've seen a non-issue.

0 comments

6 comments · 4 top-level

antihero6mo ago· 2 in thread

I’m not sure why but bun still feels snappier.

B56b6mo ago

This is why: https://bun.com/blog/behind-the-scenes-of-bun-install

babyshake6mo ago

Aside from speed, what would the major selling points be on migrating from pnpm to bun?

junon6mo ago

As the victim of the larger pre-Shai-Hulud attack, unfortunately the install script validation wouldn't have protected you. Also, if you already have an infected package on the whitelist, a new infection in the install script will still affect you.

daheza6mo ago

Are there any popular packages that require postinstall scripts that this hurts?

replete6mo ago

A whitelist in package.json is only a partial assist

j / k navigate · click thread line to collapse