[choward]

> I don't know how I feel about this.

> One hand, this is a seemingly non-violent and subtle way to protest.

You can't be serious. Being non-violent and subtle is no excuse for deliberately making software have real side effects on a computer that it's not advertised to do, especially a node library. Node modules for some reason tend to be very small and have trivial tasks like checking if something is a number. Imagine if everything shipped with it's own political malware.

No matter how you want to spin it this is completely unacceptable and nobody should ever trust this developer again.

> But it also points out how many packages go un-checked and just installed into a container running with root permissions.

The fact that "packages go unchecked" doesn't make this okay either.

[celticninja]

>Imagine if everything shipped with it's own political malware.

Then people could write their own code to check if something is a number.

[btreecat]

I didn't condone anything or anyone, I just stated I wasn't sure how to feel about it.

Anny assumptions or claims beyond that are your own delusions.

[madaxe_again]

I dunno. If you’re sloppy enough to install whatever dependencies onto your system, and not notice a new dependency, called “peacenotwar”, I’d say it’s your problem.

Doesn’t necessarily make it OK, but this will only affect the sloppy.

[peterhunt]

No one is going to audit the entire transitive closure of their dependency graph for every project they try out on their computer. This is not just going to affect the sloppy.