The package-lock.json includes a hash of the package, not just a version number ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		vel0city 67 days ago \| parent \| context \| favorite \| on: You too can run malware from NPM (I mean without c... The package-lock.json includes a hash of the package, not just a version number which should be immutable.

whilenot-dev 67 days ago [–]

To add to this: the hash in the lock file is the checksum of the published tarball, not the commit hash.

cluckindan 67 days ago | [–]

And then someone runs `npm install` on their CI

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact