[ocdtrekkie]

I think if you pull in code from all sorts of random people across the Internet, you probably absolutely should have some idea what risks that entails, and stay aware of the "latest drama", so you know when running "npm update" is likely to ruin the rest of your day.

Of course, the ideal solution is just to not use an ecosystem where pulling in code from all sorts of random people is common.

[edgyquant]

Hard disagree. Needing to follow the politics of every piece of your tech stack is a ridiculous way of doing things. We should have a system to verify if a module is malicious or not, that’s an engineering problem, politicking about in open source communities is not. Engineers should be engineering things.

[ocdtrekkie]

You can not engineer away human problems. I agree that's a ridiculous way of doing things, but it's the only reasonable way to use Node! Which is to say, I think Node is not a great tech stack if you do not want to follow drama.

Adding an antivirus scanner to your Node project is not going to fix this. It certainly hasn't solved the malware issue in the last few decades for PCs.

[edgyquant]

At the very least don’t task your principle engineer with solving human problems then. I stand by my initial comment that that is a waste of a good engineers time and mental health.