GitHub repo (800+ stars) on a list of tips for protecting against npm supply chain attacks: https://github.com/bodadotsh/npm-security-best-practices

There's no magical solution, you just have to use (WAY) less dependencies

This is a surprise. And they still haven't included corepack as an official instruction on the nodejs.org download page. Is corepack a failed experiment?

few more tips here: https://github.com/bodadotsh/npm-security-best-practices

Astro might be the closest option here. JSX can be used as a templating language for it, and devs can still opt-in for full clientful islands.

AstroNvim v6 just released after neovim 0.12, and it's my favourite out-of-box setup

Some great tips in this thread and I've been collecting them all at https://github.com/bodadotsh/npm-security-best-practices

Exactly! I’ve noticed a resounding amount of people are writing the same pieces recently, it’s almost like everyone’s sounding their alarm for the upcoming tsunami. Who’s listening? Here’s my piece: https://humantodo.dev

Got a link?

Unfortunately it's in a private repo. I built it for a client who wanted to build a HN clone for an E-commerce audience. It never took off.

Didn't help that that they had me add a pay wall to it.

Personally, I think Go + HTMX + PostgreSQL + Redis can go a long mile, but I could be missing hindsights

I can see how some high-paced teams might see HUMANTODO as speed bumpers in their environments. To that, I say this will be a conscious choice, and a trade-off teams are willing to experiement to see if the intentional slow-down will improve quality over time.

But yeah, give HUMANTODO a go, and I might add examples (blog/videos/etc) of how this actually works and integrates within real life projects.