Using `npx --yes` bypasses security prompts and automatically installs packages without verification, which could lead to supply chain attacks if package names are typosquatted or compromised. Always install required tools as explicit dependencies in your project.
Using npx --yes bypasses security prompts and automatically installs packages without verification, which could lead to supply chain attacks if package names are typosquatted or compromised. Always install required tools as explicit dependencies in your project.
Instead of this (risky):
npx --yes @datadog/datadog-ci sourcemaps upload "$DIST_PATH"
Do this instead (safer):
# In package.json, add as a dev dependency:
# "@datadog/datadog-ci": "^x.y.z"
# Then in your script:
npx @datadog/datadog-ci sourcemaps upload "$DIST_PATH"
By explicitly declaring dependencies, you ensure consistent versions, improve security posture, and enable your team to review all dependencies during security audits.
Enter the URL of a public GitHub repository