←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 5 comments | 08 Sep 25 15:37 UTC | HN request time: 0.001s | source
Show context
stathibus ◴[08 Sep 25 16:00 UTC] No.45169926[source]
As an outsider to the npm ecosystem, reading this list of packages is astonishing. Why do js people import someone else's npm module for every little trivial thing?
replies(11): >>45169990 #>>45169999 #>>45170008 #>>45170014 #>>45170015 #>>45170016 #>>45170038 #>>45170063 #>>45170879 #>>45170926 #>>45170953 #
paulddraper ◴[08 Sep 25 16:06 UTC] No.45169999[source]
Which of these would you prefer to reimplement?

Debug, chalk, ansi-styles?

---

You can pretend like this is unique to JS ecosystem, but xz was compromised for 3 years.

replies(4): >>45170140 #>>45170201 #>>45170834 #>>45171492 #
1. dsff3f3f3f ◴[08 Sep 25 16:17 UTC] No.45170140[source]
I wouldn't use debug or ansi-styles. They're not even remotely close to being worth adding a dependency. Obviously none of them are trustworthy now though.
replies(1): >>45170217 #
2. skydhash ◴[08 Sep 25 16:22 UTC] No.45170217[source]
I wouldn’t even use chalk. Altering terminal output is easy. But it should be used sparingly.
replies(1): >>45170805 #
3. dsff3f3f3f ◴[08 Sep 25 17:05 UTC] No.45170805[source]
You're right. I only looked at the source for debug and ansi-styles. After looking at chalk it's insanity to add that as a dependency as well.
replies(1): >>45176684 #
4. kesor ◴[09 Sep 25 02:25 UTC] No.45176684{3}[source]
And yet it has 300M weekly downloads. I am fairly sure that most of these are not because it is a direct dependency of people's projects, but rather it is a dependency of a dependency of a dependency.
replies(1): >>45176780 #
5. skydhash ◴[09 Sep 25 02:41 UTC] No.45176780{4}[source]
I think expo and eas-cli (the expo build service) is using chalk. Never understood what those cli need colors for what can be easily done with proper spacing and some symbols.