Every time you run npm install, you're trusting someone else's code to run on your machine. Not eventually — right now. Postinstall hooks fire the second a package lands. No review, no prompt. I built plum to change that. It's a CLI that downloads the package tarball into memory, reads the source, and scores it before anything touches your project. I pointed it at the 20 most downloaded npm packag
I scanned the top 20 npm packages. Everyone passed CVE checks, but here's what the static analysis found
Ryan Cuff·Dev.to··1 min read
D
Continue reading on Dev.to
This article was sourced from Dev.to's RSS feed. Visit the original for the complete story.