Skip to content
loading...

re: ESLint and the Problem with NPM VIEW POST

TOP OF THREAD FULL DISCUSSION
re: I personally think there is a serious attitude issue in the JS community where "don't reinvent the wheel" is taken to extremes. The fact that you ...
 

It's really complex problem hard to address.

In my opinion, it all come down to everyone responsibility. You have to check the stability of your direct dependencies and correct if need be.

After all, the eslint event was pretty well handled.
About 1h for someone to notice the virus, and 4h for eslint to publish a new version en even less for user to take down the pastebin. All potentially stolen tokens quickly revoked.
That the power of OOS.

ps: there's a 2FA option on NPM and every maintainers should activate it.

In my opinion, it all come down to everyone responsibility. You have to check the stability of your direct dependencies and correct if need be.

Tooling should help though. npm-audit goes in the right direction

Hum yes, but it only warn for know issues. Which is good, but lack the human inspection for new vulnerabilities.

yeah sure, it can't warn for something that's unknown.

Maybe in the future we'll have AI that can help with this sort of things, in the meantime we just need to do better.

code of conduct - report abuse