[fencepost]

Independent of npm's issues now and in the past, how vulnerable are other package managers to similar problems? There were typosquatting issues with pip, replacement issues with Rubygems, probably others that I don't recall. What's the current state of things for the more commonly used languages?

[_pmf_]

Maven/Gradle don't allow un-namespaced packages; nobody knows for sure how deep up their arse npm's designers have had their ass when they made non-namespaced packages possible (even the only way in the beginning; I don't know if it's still the default).

Additionally, there's the problem of npm's fine-grained dependencies (that have become a laughing stock in itself), in my Java large projects, while I don't know every single dependency, I know all the "vendors", i.e. trusted upstream namespaces I use, and their transitive dependencies. There's the occasional non-Eclipse, non-Google, non-Apache dependency (say, XStream), but I am aware of it and fix it to a specific version. npm with its thousands of dependencies by hundreds of pseudonymous developers for simple projects is an abomination.

[vbrandl]

`Crates.io` (the Rust package ecosystem) doesn't have namespaces and operates after the first come first serve principle. They won't resolve namesquatting issues so something like the left-pad debacle won't happen. I think their policy[0] is quite sane. At least I'm not aware of any issues of that kind regarding crates.io.

For typosquatting: I don't think that problem can be easily solved by package registries. They could warn you if there is a package with a similar name (and more votes, downloads, what ever) but aside from that, the developer should double check the dependency names and that's it.

[0]: https://crates.io/policies