Not the entire image
He says the scripts bypass vulnerability was reported by way of the HackerOne bug bounty program on November 26, 2025. Whereas different JavaScript bundle managers accepted the reviews, npm stated the platform was working as supposed, and that the ‘ignore scripts’ command ought to stop the working of unapproved distant code.
“We didn’t write this submit to disgrace anybody,” Yomtov stated within the weblog. “We wrote it as a result of the JavaScript ecosystem deserves higher, and since safety selections ought to be primarily based on correct data, not assumptions about defenses that don’t maintain up.
“The usual recommendation, disable scripts and commit your lockfiles, continues to be price following. However it’s not the entire image,” he stated. “Till PackageGate is totally addressed, organizations must make their very own knowledgeable decisions about danger.”
