Replies: 2 comments 1 reply
This comment was marked as spam.
This comment was marked as spam.
-
|
A nice (AI, I assume) summary. Thanks. I've taken the extreme route of taking the opportunity to learn Helix. This has a glacial release schedule, puts control back in to my hands (yes, by chucking mason out, I understand that :) and I know I could just stop using mason in neovim) and is an interesting learning project for my vacation! This is for personal interest, but also for advising a few friends and family about best practices. |
Beta Was this translation helpful? Give feedback.
-
|
Hey, So as of recently the core registry waits for at least 24 hours before updating a package to a new version, this is extended to 72 hours for npm packages. Since Allowing for custom minimum release ages is a bit trickier to implement because of how the registry functions and would require quite some work to properly implement, but certainly not opposed to the idea |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Does Mason have any options to reduce the risk of supply chain attacks or does it just rely on upstream mechanisms?
For example, in mise I can use the
install_beforesetting to prevent updates until the package has been out for a number of days: https://mise.jdx.dev/configuration/settings.html#install_before. By setting it to7dfor example I give the open-source-o-sphere plenty of time to spot the attacks and pull the code.Thanks.
Beta Was this translation helpful? Give feedback.
All reactions