zk

Hi. I'm also having this issue. I've tried generating some brand new .pem keys to see if those are accepted as valid input, but they don't appear to be accepted....

No, sorry; just a mistake in my formatting: 

Related reply to ljharb: ***** > Separately, it would be a very harmful change. The solution to the exceedingly rare case of bugs or malice coming in from an in-range...

> I don't think it is missing the mark. 8 packages out of hundreds of millions in a decade is statistically insignificant. It doesn't really matter how many packages are...

> You'd use overrides, new in npm v8.3, to force the transitive dependency to be an alternative version, or alternative package. Could you specify command by command what should be...

> npm 6 and 7 are both EOL, so those people should be upgrading to npm 8 regardless. Ah, I didn't know 6 and 7 were EOL. Regardless, not everyone...

> The current process is that applications should always have a lockfile. Your CI should be running `npm ci`. Locally, you can run `npm install` and it may generate lockfile...

> You don't - you let them update, and you catch it in review/CI. What you're saying is that there is no way to do *anything* involving `package.json` without updating...

> Thanks! I couldn't find the download counts now that the malicious versions were removed. so, 190,000 downloads out of 23 million, which is about 0.08%? 1.4.1 and 1.4.44 were...

> @pfych any environment in which it caused downtime failed to use a lockfile. Any environment which used one didn’t have any downtime. This isn't the point though. Almost every...