One of my projects uses an impacted version. However, we use bun as a package manager. Thrilled bun protected us by default!
> executing arbitrary scripts represents a potential security risk, so—unlike other npm clients—Bun does not execute arbitrary lifecycle scripts by default.
Correct. Pretty limited as a protection when the first thing you do after installing a package is running it.
Literally the only thing blocking scripts protects you from is if a package is bundled by webpack and not run by node. If the compromise happens in nx, it's just run after up type nx[enter] in your command line.
> executing arbitrary scripts represents a potential security risk, so—unlike other npm clients—Bun does not execute arbitrary lifecycle scripts by default.