I think NPM gets so much attention because the way JS convention depending on absurd dependencies graphs amplifies the problem.
@fallenhitokiri @chanakya it’s certainly the least healthy package ecosystem. My hunch is we’re going to see an industry of companies offering Security Verified alternate registries soon, with a subset of packages but some assurances that people (or, let’s face it, an LLM) has done some review before publishing new versions.
@jon @fallenhitokiri when an ecosystem enables on disgruntled package owner (rightfully in this case - pad-left ) https://archive.is/XMea1 to bring down the internet, it is an active risk (security and otherwise) for any company using the ecosystem. People being diligent about vetting dependencies alone wouldn't suffice.
@chanakya @fallenhitokiri part of proper vetting should be running your own registry with only vetted packages in it, which among other things prevents another company’s lawyers causing a dependency you rely on suddenly being unavailable.
@jon agreed.
However not all companies aka startups have the "luxury" or "capability" to run their own registries. This profligate deficiency is in the DNA and when these companies grow to a scale, they choose to ignore the risks