[ajross]

The "triggered" bit is just flaming. Please stop that.

But I'm not following how you get from popularity numbers to "attack surface". The latter is a term of art that reflects the amount of complexity on the "outside" of a software system that can be interacted with by an attacker. It correlates well with "amount of code". I don't see that it has any relation at all to number of installs.

[vlovich123]

I originally used attack surface imprecisely in terms of how many people you compromise with a single vulnerability. In other words the economic value of the attack. But also in the formal term of art, it's still true that NPM has a larger attack surface with many more weak points than something like Debian has. VSCode is trickier since it's a single application, so may not be from that perspective. However, it is basically running Chrome so it is still quite a large attack surface area.

But sure, let's use "amount of code" as a proxy. Debian has ~123GiB of source code [1] across ~65k packages [2] while NPM has 74 GiB [3] if I'm reading it correctly (other sources say 128 GiB) across 3.3 M packages [4]. Given that JS requires less code than C for equivalent functionality (due to a richer runtime & no memory management), any way you slice it, NPM is a much larger attack surface both in terms of number of opportunities and how valuable the attack is.

[1] https://www.debian.org/mirror/size

[2] https://www.debian.org/doc/manuals/debian-faq/basic-defs.en....

[3] https://replicate.npmjs.com/

[4] https://en.wikipedia.org/wiki/Npm#Registry