←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0.001s | source
Show context
stathibus ◴[08 Sep 25 16:00 UTC] No.45169926[source]
As an outsider to the npm ecosystem, reading this list of packages is astonishing. Why do js people import someone else's npm module for every little trivial thing?
replies(11): >>45169990 #>>45169999 #>>45170008 #>>45170014 #>>45170015 #>>45170016 #>>45170038 #>>45170063 #>>45170879 #>>45170926 #>>45170953 #
paulddraper ◴[08 Sep 25 16:06 UTC] No.45169999[source]
Which of these would you prefer to reimplement?

Debug, chalk, ansi-styles?

---

You can pretend like this is unique to JS ecosystem, but xz was compromised for 3 years.

replies(4): >>45170140 #>>45170201 #>>45170834 #>>45171492 #
craftkiller ◴[08 Sep 25 16:20 UTC] No.45170201[source]
> You can pretend like this is unique to JS ecosystem, but xz was compromised for 3 years.

Okay, but you're not suggesting that a compression algorithm is the same scale as "is-arrayish". I don't think everyone should need to reimplement LZMA but installing a library to determine if a value is an array is bordering on satire.

replies(2): >>45170898 #>>45172881 #
paulddraper ◴[08 Sep 25 19:37 UTC] No.45172881[source]
FWIW, is-arrayish is primarily an internal dependency. The author (Qix) depends on it for the packages that actually get used, liked color and error-ex.

But it's all one author.

replies(2): >>45173271 #>>45192405 #
1. tkiolp4 ◴[08 Sep 25 20:06 UTC] No.45173271{4}[source]
They should ban Qix.