|
|
|
|
|
|
by librexpr
1546 days ago
|
|
|
There's a big difference between publishing the source code of malware while clearly stating that it's malware, vs publishing trojan malware on NPM while knowing that it will be automatically installed by a bunch of package managers and cause damage. The former is fine; the latter is clearly malicious and is or should be a crime. |
|
|
But in all seriousness, that was one of the most jarring things I found when switching from a Java/Maven stack to JS/NPM. Both Maven and NPM offer similar features for managing dependencies, but anecdotally I found the folks managing Java projects to be a lot more obsessive about carefully managing their dependencies while in the NPM world, it seems almost to be a "best practice" to just use open ranges for your dependencies and automatically update them...