You are absolutely right. The dangerous part of NPM packages is the post-install script. Therefore moving from JavaScript to Java removes the threat.
reply[dead]
reply AbstractFinalFactoryShaiHuludSerialisedFactoryYeah but you don’t have to use that I think. I think us Node people can just pretend to write Ecmascript 2 in Java and be fine.
reply…. lol
replyMeh maven plugins are just as juicy a target as npm is
replyhttps://github.com/s4u/pgpverify-maven-plugin
replyIf you want paranoid mode, you can verify literally every part of the maven build process.
What do u recommend?
reply