So @pnpm.io's onlyBuiltDependencies feature is flawed by default: you don't re-approve to update dependencies.
Let's say you use @rspack.dev and add "rspack/core" to the list, what happens if rspack is compromised and releases a malicious version? It is still "trusted" by pnpm.
Let's say you use @rspack.dev and add "rspack/core" to the list, what happens if rspack is compromised and releases a malicious version? It is still "trusted" by pnpm.
Comments
This feature mitigates risks like this, and that’s it, it’s not designed to prevent all possible attacks.
We don't claim that we have fixed all the possible attack vectors with this change.