|
|
|
|
|
|
by cphoover
3741 days ago
|
|
|
Don't think this really solves the problem... I think the real issue here is security of what happens when a deep dependency in NPM's graph get's removed... Right now it is possible for anyone to republish said dependency with any (perhaps evil) package. What needs to happen is either unpublish needs to be disabled, or when you remove a dependency that is heavily depended on, an empty placeholder has to be automatically added by NPM so no one can hijack the package name. The question becomes what constitutes a heavily depended on package. (100 dependents? 1000?) |
|
|