Pavle

The last twelve months have been brutal for npm and PyPI. Shai-Hulud and its variants. The May 11 campaign that hit TanStack, Mistral AI, UiPath, and OpenSearch on both registries in the same wave. Bitwarden CLI. Axios. Lightning. Trivy ended up in CISA's KEV catalog. Glassworm.
Every one of those incidents triggered the same news cycle: "developers should be more careful." But "be careful" isn't a process. And most of the textbook advice (pin versions, review dependencies, audit lockfiles, use SBOMs) is either ignored under deadline pressure or quietly skipped because it doesn't scale to the rate at which install commands actually run.
So I want to hear what people are really doing.
Do you read package source before installing anything new? Honestly?
Do you pin every version, or accept caret ranges and hope?
Do you run `npm audit` / `pip-audit` and act on the output, or scroll past it?
Have you actually disabled install scripts (`npm config set ignore-scripts true`, yarn's `enableScripts: false`)? If yes, what broke?
Anyone using lockfile-only installs (`npm ci`, `pip install -r requirements.txt --require-hashes`) consistently in dev, not just CI?
Are you running a scanner (Socket, Snyk, Aikido, GitHub Advanced Security, something else)? Does it catch things, or mostly just generate noise?
What's the policy at your company versus what you actually do on your own machine?
I'm asking because I am launching Veln tomorrow it's a local proxy that scores npm and pip packages and blocks the bad ones before they download. But I built it from my own habits, which is a sample size of one. The more honestly people answer the question above, the better the tool gets. No wrong answers. "I do basically nothing and hope" is a real and common answer.

Building dev tooling means picking what to support first. The "popular" answer is not always the real answer npm is dominant by registry stats, but the developers I talk to are split across yarn, pnpm, bun, and uv depending on team and ecosystem. If you're up for sharing: Primary package manager you reach for on a new project (npm, yarn, pnpm, bun, pip, uv, poetry, pipx, something else) Whether that's the same one your team standardizes on, or just your personal preference Has anything moved in the last 12 months? bun went from "interesting" to "actually shipping" pretty fast, uv similarly on the Python side Building a tool that hooks into all of these (launching tomorrow Veln) and the assumption I went in with was npm/pnpm dominant on JS, uv eating into pip on Python. Curious whether that matches reality or whether I should be weighting differently.