Meat of the advice is pin dependency versions and disable install scripts with "npm config set ignore-scripts true", nothing updates accidentally and nothing runs immediately when updates do happen.
Also minimum package ages, but it would be surprising if malicious stuff doesn't stay inert for a day or two by now to mitigate that.
benoau•54m ago
Also minimum package ages, but it would be surprising if malicious stuff doesn't stay inert for a day or two by now to mitigate that.