zlacker

[parent] [thread] 6 comments
1. homebr+(OP)[view] [source] 2025-12-02 18:51:30
pnpm does all that on top of node. Also disables postinstall scripts by default, making the recent security incidents we've seen a non-issue.
replies(4): >>antihe+K1 >>daheza+4a >>junon+yp >>replet+bW
2. antihe+K1[view] [source] 2025-12-02 18:58:09
>>homebr+(OP)
I’m not sure why but bun still feels snappier.
replies(2): >>B56b+Na >>babysh+nh
3. daheza+4a[view] [source] 2025-12-02 19:31:10
>>homebr+(OP)
Are there any popular packages that require postinstall scripts that this hurts?
◧◩
4. B56b+Na[view] [source] [discussion] 2025-12-02 19:34:21
>>antihe+K1
This is why: https://bun.com/blog/behind-the-scenes-of-bun-install
◧◩
5. babysh+nh[view] [source] [discussion] 2025-12-02 20:00:37
>>antihe+K1
Aside from speed, what would the major selling points be on migrating from pnpm to bun?
6. junon+yp[view] [source] 2025-12-02 20:40:03
>>homebr+(OP)
As the victim of the larger pre-Shai-Hulud attack, unfortunately the install script validation wouldn't have protected you. Also, if you already have an infected package on the whitelist, a new infection in the install script will still affect you.
7. replet+bW[view] [source] 2025-12-02 23:51:40
>>homebr+(OP)
A whitelist in package.json is only a partial assist
[go to top]