[duxup]

>this stuff seems to only happen in the JS community

What stuff? Drama? That happens everywhere.

Malware? That stuff happens a lot of places, maybe npm makes it more accessible but that's just a technical hurdle ... doesn't mean it wouldn't happen elsewhere if folks could do it easily.

[nimih]

I'm talking about the particular sort of incident mentioned in the grandparent post, where a dev gets a bee in their bonnet about something or other and decides to purposefully screw over their users. Other ecosystems have had supply chain attacks of course, but something about JS seems to really encourage turning run-of-the-mill internet drama into CVEs and broken software.

Maybe, as you say, it's a technological problem. However, if that's the case, it's an eminently solvable one, as evidenced by the fact that I've never in my life had to avoid bumping my Java dependencies because I'm worried my CI pipeline will be overrun with heart emojis, and the fact that the JS community has not solved it just points to a different kind of un-seriousness.