new | ask | show | jobs
nailer 4 hours ago  [ - ]

We've had this discussion since Eazel Linux desktop popularized bash | curl in 2001.

> npm install ... is a much better approach to managing installed packages.

No. Until the upcoming version of npm is out, npm will also run arbitrary code. Almost all common installation tools run arbitrary code. Not doing that is sadly the exception for now.

mapontosevenths 3 hours ago  [ - ]

Isn't executing arbitrary code kind of the entire point of NPM though? Any chance you have a link to something that describes their plans?

nailer 3 hours ago  [ - ]

> Isn't executing arbitrary code kind of the entire point of NPM though?

No. npm is a package manager. As mentioned in the comment you're replying to, almost all package managers execute arbitrary code. Eg:

- pip

- Cargo

- apt/dpkg

- dnf/yum

- Homebrew

- RubyGems

- Composer (limited)

- Maven

> Any chance you have a link to something that describes their plans?

https://github.blog/changelog/2026-06-09-upcoming-breaking-c...