It's bizarre to me that node has so little to lock down what dependencies can access, especially when it's such an free-for-all. Even if you take the good advice to specify specific dependency versions, you can't be 100% sure that when you update them, what you're updating to is safe. This idiot's actions seem amateurish. I imagine more thoughtful malware goes undetected - things that scan your hard disc for password, maybe something that targets individuals through social media ids on the naughty list, etc.
Allegedly deno (node successor, but not yet as popular) does something about the user of the dependencies being aware of, or having to explicitly grant access to things like the filesystem, which seems not-stupid. If you need to use node, and so many things use it these days - you should probably run in in a VM or something, and maybe play detective a bit and try to catch malicious things.
In the 90s and early 2000s they tried to turn it into an engineering profession. Unfortunately they failed. Hipsters, dude bros, activists and idiots who think anyone can code after a weekend course took over.
It's bizarre to me that node has so little to lock down what dependencies can access, especially when it's such an free-for-all. Even if you take the good advice to specify specific dependency versions, you can't be 100% sure that when you update them, what you're updating to is safe. This idiot's actions seem amateurish. I imagine more thoughtful malware goes undetected - things that scan your hard disc for password, maybe something that targets individuals through social media ids on the naughty list, etc.
Allegedly deno (node successor, but not yet as popular) does something about the user of the dependencies being aware of, or having to explicitly grant access to things like the filesystem, which seems not-stupid. If you need to use node, and so many things use it these days - you should probably run in in a VM or something, and maybe play detective a bit and try to catch malicious things.
Software development failed to grow up.
In the 90s and early 2000s they tried to turn it into an engineering profession. Unfortunately they failed. Hipsters, dude bros, activists and idiots who think anyone can code after a weekend course took over.
wow itd almost be like they were thrust into tech purposefully, i mean that would never happen in our world but still