←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 6 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source | bottom
Show context
stathibus ◴[08 Sep 25 16:00 UTC] No.45169926[source]
As an outsider to the npm ecosystem, reading this list of packages is astonishing. Why do js people import someone else's npm module for every little trivial thing?
replies(11): >>45169990 #>>45169999 #>>45170008 #>>45170014 #>>45170015 #>>45170016 #>>45170038 #>>45170063 #>>45170879 #>>45170926 #>>45170953 #
paulddraper ◴[08 Sep 25 16:06 UTC] No.45169999[source]
Which of these would you prefer to reimplement?

Debug, chalk, ansi-styles?

---

You can pretend like this is unique to JS ecosystem, but xz was compromised for 3 years.

replies(4): >>45170140 #>>45170201 #>>45170834 #>>45171492 #
1. craftkiller ◴[08 Sep 25 16:20 UTC] No.45170201[source]
> You can pretend like this is unique to JS ecosystem, but xz was compromised for 3 years.

Okay, but you're not suggesting that a compression algorithm is the same scale as "is-arrayish". I don't think everyone should need to reimplement LZMA but installing a library to determine if a value is an array is bordering on satire.

replies(2): >>45170898 #>>45172881 #
2. ◴[08 Sep 25 17:12 UTC] No.45170898[source]
3. paulddraper ◴[08 Sep 25 19:37 UTC] No.45172881[source]
FWIW, is-arrayish is primarily an internal dependency. The author (Qix) depends on it for the packages that actually get used, liked color and error-ex.

But it's all one author.

replies(2): >>45173271 #>>45192405 #
4. tkiolp4 ◴[08 Sep 25 20:06 UTC] No.45173271[source]
They should ban Qix.
5. craftkiller ◴[10 Sep 25 02:27 UTC] No.45192405[source]
It might be an internal dependency for this author, but package.json is only for direct dependencies, right? github shows is-arrayish is a direct dependency of thousands of repos: https://github.com/search?q=%22is-arrayish%22+path%253Apacka...
replies(1): >>45200779 #
6. paulddraper ◴[10 Sep 25 17:14 UTC] No.45200779{3}[source]
Yes. And npm shows 1500 direct dependent packages. [1]

Vast majority are nothing. No stars, no downloads.

(IDK why. What I do know is that if you crack open the node_modules for any real project, is-arrayish will be there only because of one of the Qix packages.)

[1] https://www.npmjs.com/package/is-arrayish?activeTab=dependen...