new | ask | show | jobs
whimblepop 5 hours ago  [ - ]

I got "overblocked" for this one:

  rm -rf node_modules && npm install
but actually if you're only removing `node_modules` and you have a working package-lock.json already, what you want is `npm ci`; `npm install` can mutate package-lock.json and potentially expose you to supply chain attacks. If you use `npm ci` I think you don't need to `rm -rf node_modules`, either.

Anyway you should generally run `npm ci` except when you're deliberately updating your actual dependencies. I'd only permit an `npm install` if I was adding or updating a dependency, or I'd just reviewed an `npm ci` failure.

gamer191 5 hours ago  [ - ]

But also why would Claude need to run `rm -rf node_modules && npm install`? Without the context of seeing what changes it’s made, I’d be inclined to assume that Claude has added a new dependency, which I definitely don’t wanna blindly trust it to install

Wirbelwind 3 hours ago  [ - ]

thanks for the pointer! renamed it to npm ci so it's still 'safe'