Arrange Act Assert

Jag Reehals thinking on things, mostly product development

Tag: sandbox

4 posts tagged “sandbox”.

Minimum release age is necessary, but not enough

15 Jun 2026

The most-recommended npm defence right now is a cooldown: refuse to install any version published more recently than a few days ago. pnpm shipped it as minimumReleaseAge, Aikido Safe Chain turns it on by default, and after the recent Shai-Hulud-style npm worms, it became the advice everyone repeats.

It is good advice. It closes the window these worms detonate in. But "set a cooldown" is being sold as if it were the whole answer, and it is not. A cooldown knows one thing about a package: how old it is. There are at least three reasons it is not enough on its own, and for those, age is the wrong question to ask.

Read More →

npm install runs code you never read

15 Jun 2026

You run npm install without thinking. It looks like a download step. It is a trust decision.

Every package that resolves into your tree can run code the moment it installs, with the same access you have: your SSH keys, the npm token in ~/.npmrc, your cloud credentials, your .env. Not the package you typed. Any of the hundreds underneath it. You approved none of them by name, and the package manager never asked.

The fix is not to read more or trust less. It is to run that install somewhere your secrets are not.

Read More →