It's so bad! It's mostly the maintainer's fault for just handing over the keys to the kingdom to a stranger. But if Node/NPM had saner security practices (e.g. package signing, checksums, not having dependency graphs with 1000s of transitive dependencies) then stuff like this wouldn't happen.

Oh well, every incident just solidifies my decision to stay far away from the Node ecosystem.

Oh, and the helpful "feature" of automatically updating to the latest minor version unless you explicitly opt out in package.json, which specifically caused this particular incident.

@jdormit yeah the trust just keeps getting lower with anything related to NPM

Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either! We adhere to an adapted version of the TootCat Code of Conduct and follow the Toot Café list of blocked instances. Ash is the admin and is supported by Fuzzface, Brian!, and Daniel Glus as moderators. Hosting costs are largely covered by our generous supporters on Patreon – thanks for all the help!