I’m a (begrudging) TS/Node developer who has previously spent over a decade in the .Net ecosystem, and I would like to point out that this kind of @&/%} doesn’t happen in other ecosystems.
It should not take a 3rd party like GitHub to notify you that there’s a security hole in a hugely popular package. If the NPM registry can’t do any better self-policing than they already do, they should at least start tagging packages with “verified” or “official” like Docker does.
I would also say they should start advocating for experienced developers. The “even or odd” package getting hacked should have been a call to order, but apparently it wasn’t.
1 comment
[ 3.2 ms ] story [ 10.6 ms ] threadIt should not take a 3rd party like GitHub to notify you that there’s a security hole in a hugely popular package. If the NPM registry can’t do any better self-policing than they already do, they should at least start tagging packages with “verified” or “official” like Docker does.
I would also say they should start advocating for experienced developers. The “even or odd” package getting hacked should have been a call to order, but apparently it wasn’t.