v0.6.1

dannote released this 12 May 11:35

· 38 commits to master since this release

65db98c

Harden tarball extraction against path traversal and absolute-path entries
Preserve install-script metadata in npm.lock
Warn when dependencies declare ignored lifecycle scripts
Document that npm_ex does not run package lifecycle hooks automatically, mitigating install-time credential stealers

Assets 2