NPM Security Concerns
The cluster discusses vulnerabilities and security risks in NPM, such as supply chain attacks, malicious packages, blind trust issues, and historical incidents like left-pad, with debates on NPM's insecurity compared to other package managers.
Activity Over Time
Top Contributors
Keywords
Sample Comments
This has nothing to do with NPM. It is a specific package published on NPM. Also, stereotyping and insulting the NPM community is nonconstructive and out of place. Vulnerabilities in packages happen all the time in all kinds of package managers. The lesson here is to not blind-trust any package you come across that might make your job easier.
What are they doing about the supply chain attacks on npm?
What makes npm more insecure than other packaging systems?
Why don’t I hear about npm package attack vectors more often? I’d expect it to be super common
That's silly. NPM's business relies on its thriving package ecosystem, and ecosystems like it face a very real risk from this problem. It would be in their interest to provide such a service, and it would swiftly become obvious if any funny-business were going on, at which point their reputation would be completely decimated.
Like I've been saying, npm is ripe for abuse https://medium.com/p/73fac4bc5068
Aren't these the guys behind the npm fiasco? Wouldn't use them.
...and yet we worry about `npm` supply chain attacks...
Yes, and that's how malware ends up in npm and other package managers
Blind trust in open source package managers. Look at the damage the removal of left-pad from npm caused, for example, and imagine what could have happened if the author had malicious intent.