Yeah I think people really underestimate how massive of a security liability node modules are in the way the system currently works.
Fixing it should really be given top priority, but doesn't look to be a very popular subject when you compare it to some of the others such as whether or not ESLint should become a NodeJS core module ...
NPM is one of the most dangerous implementations, but the whole concept of pulling in thousands of unknown dependencies is dangerous on its own, even in other languages.
Fixing it should really be given top priority, but doesn't look to be a very popular subject when you compare it to some of the others such as whether or not ESLint should become a NodeJS core module ...