[shoeb00m]

Most of these attacks have nothing to do with installing trivial dependencies. It’s usually because the authors npm tokens got hacked; often due to github actions.

The issue is that github actions has too many security gaps that are easy to miss.

[OhMeadhbh]

No. It is partially due to trivial dependencies. With so many dependencies it is very difficult to evaluate the security posture of all the teams that are inserting themselves into your code.

When I publish commercial software for Unices that use shared object libraries, one of the things we do before publishing is review known vulnerabilities of our 10 dependencies. That is a tractable number. I get a senior engineer to spend time with an intern and step them through the evaluation criteria.

If the team managing a particular library grows lax over time with respect to responding to vulnerabilities, we move away from using that library.

And we can do these things because there are a tractable number of dependencies.

But yes, also GitHub is not pure as the driven slush. I agree with you on that.

[freedomben]

Fair point, although when you have dependencies from dozens or hundreds of different publishers, the risk is much higher because it only takes one getting compromised. If instead you only had a handful of core things, there's less surface area