I’m now a firm believer that every package manager needs to support hooks globally.
Composer also supports conflicts which results in this amazing approach of having a meta-package conflict with insecure packages: https://github.com/Roave/SecurityAdvisories.
Can’t happen in Node, sadly because of language differences.
I appreciate Composers slower but deliberate, well thought out approach to supply chain attack mitigations.
I arrived at a similar model for NPM using hooks in pnpm: https://github.com/captn3m0/npm-sec-feed. I love the work Packagist/Composer is doing in the space.
I’m now a firm believer that every package manager needs to support hooks globally.
Composer also supports conflicts which results in this amazing approach of having a meta-package conflict with insecure packages: https://github.com/Roave/SecurityAdvisories.
Can’t happen in Node, sadly because of language differences.