Not the entire image
He says the scripts bypass vulnerability was reported by the HackerOne bug bounty program on November 26, 2025. Whereas different JavaScript package deal managers accepted the stories, npm stated the platform was working as supposed, and that the ‘ignore scripts’ command ought to forestall the operating of unapproved distant code.
“We didn’t write this put up to disgrace anybody,” Yomtov stated within the weblog. “We wrote it as a result of the JavaScript ecosystem deserves higher, and since security selections needs to be based mostly on correct data, not assumptions about defenses that don’t maintain up.
“The usual recommendation, disable scripts and commit your lockfiles, remains to be price following. However it’s not the entire image,” he stated. “Till PackageGate is totally addressed, organizations have to make their very own knowledgeable selections about threat.”
