Mark H Weaver <[email protected]> writes: > I'm uneasy about the size of its package-lock.json file: > > https://github.com/darkreader/darkreader/blob/v4.9.29/package-lock.json > > It contains *1074* unique URLs to libraries at registry.npmjs.org. [...] > I'm uncomfortable with putting our trust into so many libraries on > npmjs.org, but I welcome other opinions.
Also: of those 1074 dependencies, 272 of them rely on SHA-1 for
integrity protection of the downloaded packages.
Mark
