[pgraf]

TLDR: A Denial-of-Service vulnerability triggered via cache poisoning on registry.npmjs.org which can render individual packages inaccessible

I don't see the big security impact that the headline suggests, as active big-scale exploitation would likely be quickly noticed and fixed. The most interesting attack vector IMHO would be to block individual security fixes to packages on a small scale.

[hombre_fatal]

> would likely be quickly noticed and fixed

Fixed as in fixing the exploit that TFA is reporting? Isn’t that the point of their report?

[hyperpape]

Perhaps, but it could also be fixed/mitigated by cycling the cache state and blocking bots. It might also be something that can be blocked in a web proxy.

It's interesting, but I share the thought that the impact is overstated.