|
|
|
|
|
|
by colanderman
3085 days ago
|
|
|
When your code deployment model is effectively "download stuff from random websites", I feel like namespace recycling is the least of your worries. (That is to say, trusting that any given named package that `npm install` downloads is what you think it is is really no different that trusting `wget https://example.com/thecode.tgz`. Even if you verify that the domain hasn't switched hands, you have no guarantee that the author's pipeline wasn't compromised, or that the author didn't add malware themselves. There's a reason Debian, Red Hat et. al. put a lot of effort into ensuring integrity of their repositories.) |
|
|