|
|
|
|
|
|
by spriggan3
3748 days ago
|
|
|
> Some serious land-grab opportunities there It sums up the biggest issue with npm. Modules shouldn't be a name but a namespace + a name , just like composer. Someone shouldn't be able to have a monopoly on names like "web" or "async". It should be "some-namespace/module-name". |
|
|
* User removes 'alert' from npm, last version was 1.1.0
* Consumers with "alert": "^1.0.0" now have broken builds
* Troll grabs "alert", publishes 1.1.1 with a "postinstall" hook that steals personal data / installs a trojan / deletes data
* Major numbers of development machines and some production environments are now compromised
Shrinkwraps should also include a package hash to protect users against the repository. I'm starting work on a PR to `ied` that will do this.