[capableweb]

Yes and no. Open source is built on trust, something we're starting to feel the backsides of today, where npm modules sometimes gets compromised, but people also get shared responsibility over shared resources like reusable libraries.

I'm torn if it's good or bad really. I feel like our tools should do more to protect us, but until we get there, maybe we do need to be more careful with who we're giving our trust to?

[MeinBlutIstBlau]

From a security standpoint, how did NPM become a thing? Bar none, it feels like the most compromisable system short of SCADA.

[easterncalculus]

A small Javascript standard library and more demand for packages with the use cases from running it server-side seem to be contributing factors.