top | item 45170982

(no title)

NPM is owned by GitHub and therefore Microsoft, who is too busy putting in Copilot into apps that have 0 reason to have any form of generative AI in them

discuss

Cthulhu_|5 months ago

But Github does loads of things with security, including reporting compromised NPM packages. I didn't know NPM is owned by Microsoft these days though, now that I think about it, Microsoft of all parties should be right on top of this supply chain attack vector - they've been burned hard by security issues for decades, especially in the mid to late 90's, early 2000s as hundreds of millions of devices were connected to the internet, but their OS wasn't ready for it yet.

wutbrodo|5 months ago

It's not like NPM pre-Microsoft was a paragon of professional management or engineering...

Maxious|5 months ago

For those who have forgotten, Microsoft buying npm was basically a community service given npm inc was on the brink of collapsing

https://www.businessinsider.com/npm-ceo-bryan-bogensberger-r...

https://www.businessinsider.com/npm-cofounder-laurie-voss-re...

mixologic|5 months ago

The difference is in the apparent available resources. You cant get to "professional" without the time and money, and NPM post acquisition, presumably, has more of both. Granted, NPM probably doesn't have a revenue model to speak of, which means Microsoft is probably not paying it much attention.

bnchrch|5 months ago

Good god. Not everything has to be about your opinion on AI.

PokestarFan|5 months ago

GitHub was folded into Microsoft's "CoreAI" team. Not very confidence-inspiring.

jay_kyburz|5 months ago

Actually, they could probably use AI to see if each update to a package looks malicious or obfuscated.

txdv|5 months ago

Just write a check.md instruction for copilot to check it for malicious acticity, problem solved

andix|5 months ago

Is it really owned and run by Microsoft? I thought they only provide infrastructure, servers and funding.