Is it typical in the JS space to include dependencies without versioning? Also, ...

naugtur · 2025-09-09T12:02:40 1757419360

packages published to npm are immutable. if you pin a version, you get the same exact version as long as MSFT servers are not compromised.

Installing from git is not recommended and has more issues than you might think https://dev.to/naugtur/a-phish-on-a-fork-no-chips-52cc

You are supposed to update packages, even if you use lockfiles (very common) or tools that pin your direct dependencies (renovate etc. not so common) And when you do update, will you read the package and all of its updated dependencies?

It's a hard problem with a bunch of tradeoffs.

Can be done, with enough attention and tools. Tools include LavaMoat :)

whilenot-dev · 2025-09-09T12:09:49 1757419789

> packages published to npm are immutable.

Depends how you'd refer to them... tags ("@latest", "@next" etc.) are not immutable and it's best to rely on the checksums in the lock file.

clbrmbr · 2025-09-09T12:09:12 1757419752

Re: updates: I was just thinking of waiting a few weeks on the updates to allow compromised packages to be discovered.

naugtur · 2025-09-09T12:41:43 1757421703

socket.dev will find most malware within hours of it being published.

with LavaMoat most malware won't work even if you don't detect it.

vel0city · 2025-09-09T12:08:45 1757419725

The package-lock.json includes a hash of the package, not just a version number which should be immutable.

whilenot-dev · 2025-09-09T12:12:24 1757419944

To add to this: the hash in the lock file is the checksum of the published tarball, not the commit hash.

cluckindan · 2025-09-09T15:26:31 1757431591

And then someone runs `npm install` on their CI