All languages have their own idiosyncrasies, not just English. I'm a native speaker of 2 different languages and I find that there is still more to learn about them via small mistakes that I make.
It depends on whether or not it actually delivers a payload. If it does, then it can use a `postinstall` hook to execute absolutely anything it wants, under the context of the user.
This is why you should always shrinkwrap and run a private npm repository in production. Anything less is opening you up to remote takeover at the whim of a single package publisher.
Did you read the GitHub thread on Express? The project is still very much alive, but its internals have been broken out into standalone packages, so the only commits to Express itself are version updates. That issue was created based on a misunderstanding.
If you read further down on the Github thread, the guy who did the splitting out is no longer working on the project and it's now fully in IBM's hands, who aren't doing much of anything.
This actually happened well before IBM acquired StrongLoop - I first noticed it in February, but it was added in January 2015. The IBM acquisition was announced in September 2015.
In their usual fashion they link to internal bug trackers when committing (without summary), something that has frustrated me greatly while attempting to work with them on strong-remoting and loopback-explorer.
`curl -i http://blip.strongloop.com/loopback` returns content from S3. Are we suggesting then they are using S3 bucket analytics to see how many times a package has been downloaded then?
Perhaps. I opened it a long time ago, but I've still been trying to keep it alive in the hope that somebody from Strongloop will actually comment on it.
In the meantime, if you use a Strongloop package, fork it and remove the optionalDependency.
35 comments
[ 3.3 ms ] story [ 77.3 ms ] threadThis is clearly inacceptable.
https://en.wikipedia.org/wiki/What_a_Country!
https://www.youtube.com/watch?v=Q8mD2hsxrhQ
https://www.youtube.com/watch?v=GIGtHhAfe8w
Isn't the solution for npm to have tighter controls on where it will download packages from?
This is why you should always shrinkwrap and run a private npm repository in production. Anything less is opening you up to remote takeover at the whim of a single package publisher.
"I think you nailed it that this is most likely more bureaucracy than malice.
IBM is like government. There's no sense of urgency whatsoever."
Source: https://www.reddit.com/r/javascript/comments/41dadv/is_expre...
In their usual fashion they link to internal bug trackers when committing (without summary), something that has frustrated me greatly while attempting to work with them on strong-remoting and loopback-explorer.
I'm certain this is a mentality issue more than anything.
In the meantime, if you use a Strongloop package, fork it and remove the optionalDependency.
...this basically invalidates any sort of use Strongloop has for tracking its users via optionalDependencies.
Thanks for that.