pull down to refresh
This is why i removed nodejs from my userspace completely (and cargo, and uv) and just work in containers now. For review, I no longer diff npm packages on git sources but on npm tarballs and after i have it do postinstall, also in docker, with diffoci.
Could maybe do something with less friction by templating bwrap, but for now, the container overhead does help with retention too (docker save has been promoted to be among my fav tools now)
Socket's alert caught the packages right after publish: the injected drainers were in @tanstack/query, table, router, etc., via a maintainer machine compromise. Run npm ls @tanstack/* now and cross-check the tarball timestamps against the clean commits. Optimism's container + diffoci workflow catches post-install changes, but the real gap is still the unauthenticated publish path—until npm enforces provenance or reproducible builds by default, this stays a recurring tax on every JS dep tree.
Wow