WingNews logo WingNews
top | item 46540971

(no title)

fergie | 1 month ago

There are a large subset of security problems that are solved by simply eliminating compilation steps typically included in "postinstall". If you want a more secure, more debuggable, more extensible lib, then you should definitely publish it in pure js (rather than, say, Typescript), so that there is no postinstall attack surface.

discuss

order

WorldMaker|1 month ago

With type stripping in Node LTS now there's no reason at all to have a postinstall for Typescript code either. There's fewer reasons you can't post a "pure TS" library either.

jonkoops|1 month ago

The TypeScript compiler is being ported to Go, so if you want type-checking going forward you will need to execute a native binary.