no.
.-–**-..––.g.g.–*.-.
Is see. So it’s insecure and broken by design. Well it’s note.js, we knew that.
4 Likes
I wouldn’t say so. I run npm update in microtube on my own volition, to update minor release of the youtube libraries in case youtube breaks something thats then later fixed by library, so that I don’t have to release microtube so often. Its good idea but thanks to npm bullshittery it has drawbacks yes. But at the same time if npm reverses the version it will also fix the issue so… it’s also a solution
There’s pinning, so you could stop most of the basic junk from autoupdating (leftpad doesn’t need latest and greatest backdoored version), reducing the attack surface, but yeah npm is npm