[totony]

>This incident sets a dangerous precedent in breaking a chain of trust that today's software development heavily relies on

Such precedents should be set, we shouldn't be relying on that chain of trust (as clearly demonstrated here).

Updates should be vetted, signed, etc. Fetching stuff random people push to npm is a recipe for disaster.

[gtirloni]

How are regular developers going to vet the literally 1000s of Node.js dependencies they rely on?

And who's signing these updates? The package owner? Well, he's the one adding malicious code so he can sign whatever he wants.

I'll say it again, Node.js needs a proper standard library like Go that takes care of common needs most people have. It's been improving but it was a historical mistake to let microdependencies run wild.

[totony]

IMO npm should have a "stable repo" and a "community repo" just like most distribution packagers have had for a long time.

[gkbrk]

> How are regular developers going to vet the literally 1000s of Node.js dependencies they rely on?

Perhaps they shouldn't be relying on thousands of NPM packages. It's not difficult to write JS code that doesn't `npm install` the entire package ecosystem.

[gtirloni]

If you use React, Vue and others, that decision has been made for you.