[dgellow]

People focus on the attack itself and reasons behind it. I feel that we are missing the bigger picture here: these type of supply chain attack in the open source world is a systematic problem. It’s a direct result of assumptions baked into services such as npm, pypi, rubygems, etc and assumptions people have regarding 3rd party dependencies.

The blast radius is monstrously giant. We seem to be still very naive in the way we approach, use, and implement those type of system, with an assumption that maintainers are working in good-faith and reliable.

I don’t know how things should be, and I don’t like to think of contributors and maintainers as a threat, but we have enough examples now to know ignore that risk is a fundamental issue.

[lithos]

I agree here, it's insane the number of dependencies JS developers are willing to take on. A decent sized project will see tens of thousands of extra files added to it (even if a lot of it is noncode stuff like licensing). From an outsider it even looks like employability of someone goes up if they manage to add extra dependencies to a project, since they can point to their download count to a prospective employer.

It's insane how much legal liability a company is at for agreeing to so many unread licenses. And how much attack surface they're exposing themselves to with their sprawling dependency chains.