[gred]

Days since last malicious packages in NPM: 0 (evergreen)

Days since last malicious packages in PyPI: 30

Days since last malicious packages in Maven: 120

I'm sure this isn't 100% accurate, and there are probably better metrics (average number of malicious packages per year, average number of developers affected per year, etc) but they aren't as easy as a quick Google News search.

[_pdp_]

Except that the JavaScript / NPM ecosystem is 6-7 times larger than Python and Java / Maven.

https://chatgpt.com/share/6a1da751-0d88-832e-ace7-572bc786e0...

Check the linked resource which has the actual data.

[gred]

Thanks for the link. However, a 7x size differential does not fully explain a 100x security incident differential -- although I'm sure it's part of it. Some of the root causes are very hard to address (e.g. a very limited standard library which encourages dependency explosions), some are just hard (e.g. established cultural norms around version pinning and upgrades, well-established reliance on install scripts) and some are easier (e.g. small tool improvements like min-release-age). I'm personally not going to touch npm with a ten foot pole in the next year or two, but I'd love to see significant improvement, so that I have that option again in 2 or 3 years. Stay safe!

[_pdp_]

The npm cli has bad defaults which you can turn off but they are there I presume for legacy reasons. The secure option is pnpm. The registry is fine.

Also on our comment about size differential ... it absolutely can.

If I jump from 2 meters hight it will be mildly uncomfortable. Jumping from 12 meters will result in severe injurious and possibly death. None of these things go linearly in real world conditions.