←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0.343s | source
Show context
stathibus ◴[08 Sep 25 16:00 UTC] No.45169926[source]
As an outsider to the npm ecosystem, reading this list of packages is astonishing. Why do js people import someone else's npm module for every little trivial thing?
replies(11): >>45169990 #>>45169999 #>>45170008 #>>45170014 #>>45170015 #>>45170016 #>>45170038 #>>45170063 #>>45170879 #>>45170926 #>>45170953 #
dist-epoch ◴[08 Sep 25 16:08 UTC] No.45170015[source]
This is spreading everywhere, Rust, Python, ...
replies(3): >>45170086 #>>45170495 #>>45171565 #
1. Klonoar ◴[08 Sep 25 17:57 UTC] No.45171565[source]
Rust is an interesting case to me.

There are certainly a lot of libraries on crates.io, but I’ve noticed more projects in that ecosystem are willing to push back and resist importing unproven crates for smaller tasks. Most imported crates seem to me to be for bigger functionality that would be otherwise tedious to maintain, not something like “is this variable an array”.

(Note that I’m not saying Rust and Cargo are completely immune to the issue here)