[nrmitchi]

Appreciate the tanstack postmortem, however the security issue as far as the rest of the npm ecosystem goes is still an ongoing concern, correct?

Is there evidence that any downstream packages that may have pulled/included tanstack packages should be considered safe?

[alexjurkiewicz]

NPM is getting all the attacks and attention because it is the biggest. But there's nothing language specific to this class of attacks.

[nrmitchi]

Yes, that is clear. But in this particular instance the tanstack packages are downstream of a ton of other packages.

Tanstack infected a bunch of other packages; then resolving their issue doesn’t fix the widespread issue

[Joeri]

So what if they’re the biggest? They haven’t taken any meaningful steps to stop these attacks. The primary culprit for the sorry state of the npm ecosystem is npm inc, or actually their corporate overlord microsoft. They could be doing a lot more than they are.

I’m sort of reminded of how back in the day windows was swiss cheese and people kept saying “it is because they’re the biggest”, and then microsoft started caring about windows security and it improved enormously. When will microsoft start caring about npm security?