That package wasn't any more random than any other NodeJS package. NPM isn't inherently different from, say, Debian repositories, except the latter have oversight and stewardship and scrutiny.
That's what's needed and I am seriously surprised NPM is trusted like it is. And I am seriously surprised developers aren't afraid of being sued for shipping malware to people.
It's really, really not. Just write the libraries yourself. Have a team or two who does that stuff.
And, if you do need a lib because it's too much work, like maybe you have to parse some obscure language, just vendor the package. Read it, test it, make sure it works, and then pin the version. Realistically, you should only have a few dozens packages like this.
cromka|2 months ago
That's what's needed and I am seriously surprised NPM is trusted like it is. And I am seriously surprised developers aren't afraid of being sued for shipping malware to people.
bigfatkitten|2 months ago
Which when compared to NPM, which has no meaningful controls of any sort, is an enormous difference.
throw-12-16|2 months ago
Yeah thats the entire point.
metaltyphoon|2 months ago
Realistically, this is impossible.
array_key_first|2 months ago
And, if you do need a lib because it's too much work, like maybe you have to parse some obscure language, just vendor the package. Read it, test it, make sure it works, and then pin the version. Realistically, you should only have a few dozens packages like this.
baq|2 months ago
anthk|2 months ago
At least they seemed to have policies:
https://security.metacpan.org/