NPM debug and chalk packages compromised

(www.aikido.dev)

1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0.21s | source

https://github.com/advisories/GHSA-8mgj-vmr8-frr6

Show context

nromiun ◴[08 Sep 25 16:19 UTC] No.45170180[source]▶

I have nothing to do with this but still I am getting second hand embarrassment. Here is an example, is-arrayish package, 73.8 MILLION downloads per week. The code? 3 lines to check if an object can be used like an array.

I am sorry, but this is not due to not having a good standard library, this is just bad programming. Just pure laziness. At this point just blacklist every package starting with is-.

replies(5): >>45170288 #>>45170925 #>>45172151 #>>45173397 #>>45175092 #

tkiolp4 ◴[08 Sep 25 20:17 UTC] No.45173397[source]▶

>>45170180 #

You don’t get it. People don’t add “is-arrayish” directly as a dependency. It goes like this:

1) N tiny dubious modules like that are created by maintainers (like Qix)

2) The maintainer then creates 1 super useful non-tiny module that imports those N dubious modules.

3) Normal devs add that super useful module as a dependency… and ofc, they end up with countless dubious transitive dependencies

Why maintainers do that? I don’t think it’s ignorance or laziness or lack of knowledge about good software engineering. It’s because either ego (“I’m the maintainer of N packages with millions of downloads” sounds better than “I’m the maintainer of 1 package “), or because they get more donations or because they are actually planning to drop malware some time soon.

replies(1): >>45183586 #

1. paulddraper ◴[09 Sep 25 15:42 UTC] No.45183586[source]▶

>>45173397 #

I think the real answer is far less nefarious.

They personally buy into modularization, do-one-thing-do-it-well. Also engineering is fun, and engineering more things is more fun.

↑