This helps to secure the dependency supply chain. Packages from trusted sources are considered safer, as they are typically subject to more reliable verification and scanning for malware and vulnerabilities.

Exotic sources are dependency locations that bypass the usual trusted resolution process. These protocols are specifically targeted and blocked: Git repositories (git+ssh://...) and direct URL links to tarballs (https://.../package.tgz).

Related PR: #10265.

Patch Changes

• Show deprecation in table/list formats when latest version is deprecated #8658.
• Remove the injectWorkspacePackages setting from the lockfile on the deploy command #10294.
• Normalize the tarball URLs before saving them to the lockfile. URLs should not contain default ports, like :80 for http and :443 for https #10273.
• When a dependency is installed via a direct URL that redirects to another URL and is immutable, the original URL is normalized and saved to package.json #10197.

Platinum Sponsors

Gold Sponsors