|
|
|
|
|
|
by STRML
3747 days ago
|
|
|
Absolutely. All packages should be namespaced by org or author. This also brings up a very real malware injection possibility: * User removes 'alert' from npm, last version was 1.1.0 * Consumers with "alert": "^1.0.0" now have broken builds * Troll grabs "alert", publishes 1.1.1 with a "postinstall" hook that steals personal data / installs a trojan / deletes data * Major numbers of development machines and some production environments are now compromised Shrinkwraps should also include a package hash to protect users against the repository. I'm starting work on a PR to `ied` that will do this. |
|
|