[1]: https://gist.github.com/azer/db27417ee84b5f34a6ea
It sums up the biggest issue with npm. Modules shouldn't be a name but a namespace + a name , just like composer. Someone shouldn't be able to have a monopoly on names like "web" or "async". It should be "some-namespace/module-name".
* User removes 'alert' from npm, last version was 1.1.0
* Consumers with "alert": "^1.0.0" now have broken builds
* Troll grabs "alert", publishes 1.1.1 with a "postinstall" hook that steals personal data / installs a trojan / deletes data
* Major numbers of development machines and some production environments are now compromised
Shrinkwraps should also include a package hash to protect users against the repository. I'm starting work on a PR to `ied` that will do this.
It sums up the biggest issue with npm. Modules shouldn't be a name but a namespace + a name , just like composer. Someone shouldn't be able to have a monopoly on names like "web" or "async". It should be "some-namespace/module-name".