The last twelve months have been brutal for npm and PyPI. Shai-Hulud and its variants. The May 11 campaign that hit TanStack, Mistral AI, UiPath, and OpenSearch on both registries in the same wave. Bitwarden CLI. Axios. Lightning. Trivy ended up in CISA's KEV catalog. Glassworm.
Every one of those incidents triggered the same news cycle: "developers should be more careful." But "be careful" isn't a process. And most of the textbook advice (pin versions, review dependencies, audit lockfiles, use SBOMs) is either ignored under deadline pressure or quietly skipped because it doesn't scale to the rate at which install commands actually run.
So I want to hear what people are really doing.
Do you read package source before installing anything new? Honestly?
Do you pin every version, or accept caret ranges and hope?
Do you run `npm audit` / `pip-audit` and act on the output, or scroll past it?
Have you actually disabled install scripts (`npm config set ignore-scripts true`, yarn's `enableScripts: false`)? If yes, what broke?
Anyone using lockfile-only installs (`npm ci`, `pip install -r requirements.txt --require-hashes`) consistently in dev, not just CI?
Are you running a scanner (Socket, Snyk, Aikido, GitHub Advanced Security, something else)? Does it catch things, or mostly just generate noise?
What's the policy at your company versus what you actually do on your own machine?
I'm asking because I am launching Veln tomorrow it's a local proxy that scores npm and pip packages and blocks the bad ones before they download. But I built it from my own habits, which is a sample size of one. The more honestly people answer the question above, the better the tool gets. No wrong answers. "I do basically nothing and hope" is a real and common answer.
Nice launch, Pavle. Wild timing with the Shai-Hulud npm attack today.
Curious what your take is on it. From your perspective, was this mostly a case of teams needing better package verification before install, or does it point to a deeper trust problem with the npm ecosystem itself?
@danush_singla Thanks, yeah I think its a deeper problem, as you can see also yesterday github has had its internal source code compromised. Seems to be going all around, so seems like we are entering in an era of needing to verify everything before using
That makes sense. I’ll admit I’m not deeply familiar with the cybersecurity industry, but as a developer the Shai-Hulud situation is pretty unsettling. I’ve already lost days on Python/ML projects just trying to get versions and dependencies to cooperate, so the idea that normal install behavior can also become a security risk makes the whole thing feel even worse.
When something like this happens, does it change how you think about Veln’s roadmap? I’m curious whether it pushes you more toward stricter default blocking, clearer “why this was blocked” explanations, or guidance on what a developer should do next after Veln flags something.