@mdallastella Wait a minute, did you read the thread? this is superhardcore!

@mdallastella So, if I understood correctly.

The maintainer (the author of hundreds of npm modules) gave away the NPM access to the module to someone who used the package to make an attack?

WTF am I reading?

@ekaitz_zarraga @mdallastella it’s funny in a tragic way. I can almost sympathise with the maintainer, it’s tempting to let someone who cares take over a project, until he shows up all unrepentant.

@cbowdon @ekaitz_zarraga I agree that users of that library should be more careful and check all the dependencies before update, but I can't forgive someone who give the away the maintenance of a library so wide used without any care, it's not that responsible.

@mdallastella Just checked the profile of the "hacker"...

It has like 3 repos, few commits and the profile is so fucking empty. This is so wrong I can't even believe it.

Dominic Tarr dude, maybe the developer who made more npm packages in the world. What the actual fuck?

@mdallastella
ohh boy, here we go again! So where should I start checking (project dependencies, installed apps on the desktop, ...)?

Is there any tldr?

@mdallastella Scary indeed, the original author of that library shares some interesting views in this gist: gist.github.com/dominictarr/9f

@mdallastella I guess that's what makes the JS ecosystem so vibrant, that a guy in his garage can share his code with the whole world with no effort on both sides.
It's also normal for people to move on.
I don't know how to fix the JS ecosystem, but the guy makes a point.

If anything, I hope this incident kickstarts projects that aim to fix this.

github.com/wilk/snpm is a good idea to solve one of the issue, but it does have any traction...

Sign in to participate in the conversation
Functional Café

functional.cafe is an instance for people interested in functional programming and languages.