[warpech]

If this happens in future, you can switch an NPM mirror, such as:

- https://open-registry.dev/#get-started

- https://npm.taobao.org/

WARNING: Research who runs the mirror before putting your trust in it.

How to turn on:

  npm config set registry https://npm.open-registry.dev

How to turn off:

  npm config delete registry

[yellow_lead]

I would not recommend to use the Taobao registry though. This is operated by a Chinese company. Aside from the cybersecurity concerns, if it's hosted in China you'll be getting bad latency.

[lqs469]

It's just a mirror service address, the NPM package is the same. Worrying too much about cybersecurity is a bit of a storm in a teacup.

[warpech]

Well, how do you know it's "just" a mirror service, and it is not using a zero-day to exploit your system, by installing a root-kit or copying your code to their servers?

I agree that it's a valid concern.

[gpmcadam]

If you're concerned about injection into a third-party package, you should be using `package-lock.json` (or equiv) and integrity hashing your dependencies at install time.

[wp381640]

signed packages would go some way towards better distributing npm

[lqs469]

In fact, you can compare the installed dependencies code line by line, Javascript won't be compiled anyway.

[yellow_lead]

I'll admit I don't know the specifics of how NPM works or if it's even a valid concern. But cybersecurity is becoming much more about a power grab than actual hacking these days. And if you depend on things in China for your American company, you can bet that will be on the table for any future attacks.

[KaoruAoiShiho]

Thanks for the suggestion, this is really valuable for those who trust Chinese products or are Chinese.

[alexandernst]

It really must be the end of the world for me to trust and switch to a Chinese NPM mirror.