fyi npm 12 will have securer defaults https://github.blog/changelog/2026-06-09-upcoming-breaking-c... but it will be a while for ecosystem to catch up and npm reputation already damaged

Agreed. If it's "digital", it will be used for elite power plays, because it's too easy. How else could you mass control/analyse/manipulate millions of people instantly? Digital, digital, digital...

My browser combo: Firefox Developer Edition + uBo + Privacy Badger + Facebook Containers

One time setup, it’s synced to Mozilla account for later reinstalls

Caution?: mozilla sync doesn't guarantee storage space? They claim you need another instance running?

GitHub repo (800+ stars) on a list of tips for protecting against npm supply chain attacks: https://github.com/bodadotsh/npm-security-best-practices

There's no magical solution, you just have to use (WAY) less dependencies

This is a surprise. And they still haven't included corepack as an official instruction on the nodejs.org download page. Is corepack a failed experiment?

few more tips here: https://github.com/bodadotsh/npm-security-best-practices

Astro might be the closest option here. JSX can be used as a templating language for it, and devs can still opt-in for full clientful islands.

AstroNvim v6 just released after neovim 0.12, and it's my favourite out-of-box setup

Some great tips in this thread and I've been collecting them all at https://github.com/bodadotsh/npm-security-best-practices

Exactly! I’ve noticed a resounding amount of people are writing the same pieces recently, it’s almost like everyone’s sounding their alarm for the upcoming tsunami. Who’s listening? Here’s my piece: https://humantodo.dev