Description
It'd be nice if something could be done in vite-plus specifically to ensure secure defaults if a user is using npm.
See https://nesbitt.io/2026/03/31/npms-defaults-are-bad.html for examples.
Suggested solution
For safety reasons, we should probably force vp install (when not passed a specific package to add) to map to npm ci, or at least maybe npm install --prefer-offline?
Alternative
No response
Additional context
It may also be a good idea to have vp env doctor point the user to various more-secure options as well, for example using min-release-age if not set, blocking scripts from running on-package-install (--ignore-scripts), and so on.
Validations
Description
It'd be nice if something could be done in vite-plus specifically to ensure secure defaults if a user is using npm.
See https://nesbitt.io/2026/03/31/npms-defaults-are-bad.html for examples.
Suggested solution
For safety reasons, we should probably force
vp install(when not passed a specific package to add) to map tonpm ci, or at least maybenpm install --prefer-offline?Alternative
No response
Additional context
It may also be a good idea to have
vp env doctorpoint the user to various more-secure options as well, for example using min-release-age if not set, blocking scripts from running on-package-install (--ignore-scripts), and so on.Validations