This is related to the axios supply chain attack I mentioned in #289. Axios is not the first, and definitely not the last one to be compromised. A better protection would be to use a package manager that blocks postinstall script by default. pnpm and bun do this. Bun is a better if you want the performance benefits as well, which was the strongest benefit.
Of course, other contributors may still run their own insecure package manager to install the dependencies, but that's their own risk. Or you can enforce them if you want, through a preinstall script, npx only-allow bun
This is related to the axios supply chain attack I mentioned in #289. Axios is not the first, and definitely not the last one to be compromised. A better protection would be to use a package manager that blocks postinstall script by default. pnpm and bun do this. Bun is a better if you want the performance benefits as well, which was the strongest benefit.
Of course, other contributors may still run their own insecure package manager to install the dependencies, but that's their own risk. Or you can enforce them if you want, through a preinstall script,
npx only-allow bun