Are you referencing the ESLint backdoor? From my recollection, the two incidents seem really similar. Both were noticed and unpublished quickly. Both could have been prevented by 2FA. Can you elaborate on why you think this incident was handled better?
For some reason, a subset of Rails community feels compelled to boost it by knocking whatever is more popular, e.g. Java in the old days, JavaScript these days. Rails is fine, but that aspect of the community is unnecessary and immature.
Yeah if you're going to sling shit like this, link to your sources. I've handled incidents involving both ecosystems over the past year and they're pretty comparable.
To all replies of this comment - it came off wrong. I didn't mean to "sling shit".
I was referring to the 'event-stream' incident in which the package maintainer unknowingly passed it off to a new malicious maintainer (he has 100s modules). The farcry between the two was that the original maintainer basically wiped his hands clean from incident, whereas in this _specific_ scenario the maintainers of 'bootstrap-sass' offered suggestions on how to improve the security and prevent similar events in the future. I was impressed by the prompt and professional response by the maintainers, that's all.
That being said - I generalized my comment too much, and I agree with zer01 that npm and bundler communities are very comparable and both do a great job.