Post
’No Way to Prevent This‘ Says Only* Package Manager Where This Regularly Happens.
*I know.
In all seriousness, what do we do now? Has this been stopped? Is it safe to start scanning our deps and know we find everything? Do we have to assume running `npm install` is extremely dangerous right now? What is npm doing?
I’ve advised my company to pause JavaScript development for the time being, and that surely can’t be it?
https://narrativ.es/@janl/115606622055750279
If you can't use JavaScript without Node then you're a Node developer, not a JavaScript one.
I'd go so far as to say that developers who rely on NPM don't actually know how to develop in JavaScript. All they know is how to string together packages and hope they work and don't leak data.
What you do now depends on whether there is a strong enough community to create a robust library of trustworthy basic components so the whole thing doesn't rest on some teenager's side project.
@janl We just scan all projects for a package-lock.json file and check that it has not been updated since two days ago. That ensures you can't install infected versions. I think there is also work underway to scan all machines for user-installed packages, which also just scans for local package-lock files.
@atjn ah that is smart, thanks!
A space for Bonfire maintainers and contributors to communicate
