We didn't get locking until npm v5 (some memory and googling, could be wrong.) A... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		Already__Taken 8 months ago \| parent \| context \| favorite \| on: NPM debug and chalk packages compromised We didn't get locking until npm v5 (some memory and googling, could be wrong.) And it took a long time to do everything you'd think you want. Changing the main command `npm install` after 7 years isn't really "stable". Anyway didn't this replace versions, so locking won't have helped either?

minitech 8 months ago | [–]

You can’t replace existing versions on npm. (But probably more important is what @jffry mentioned – yes, lockfiles include hashes.)

jffry 8 months ago | [–]

> Anyway didn't this replace versions, so locking won't have helped either?

The lockfile includes a hash of the tarball, doesn't it?

Already__Taken 8 months ago | [–]

It does, the answer to my question was no.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact