DEV Community

Mark
Mark

Posted on

NPM... we all knew this would happen eventually

I remember reading this article when it first came you in Medium

Some highlights from the article

The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all.

Although this is all made up, it worries me that none of this is hard.

There’s no shortage of smart, nasty people out there, and 580,000 npm packages. It seems to me that the odds are better than even that at least one of those packages has some malicious code in it, and that if it’s done well, you would never even know.

It's dated to Jan 6 2018, nine months later we have this
I don't know what to say.

This all reminds me of Murphy's Law.

I know there is already a post discussing about how to improve security, but what worries me the most is how toxic the Github thread became. Quoting them here would get me banned.

I know this is a very very serious issue, but let's say your new to open-source or coding in general and you finally manage to make a project that is useful to the community.

One day you open your repository to find ~500 comments, people shouting at how you screwed up big time and you don't know why. That isn't the best community experience.

I've always thought the MIT license mentioned that this can happen

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND

I personally was using Electron before from tux0r from this community pointed out this

This makes XSS particularly dangerous, as an attacker's payload can allow do some nasty things such as require in the child_process module and execute system commands on the client-side

Link to the actual comment, a small shout out thanks

Big shots do screw up

What pops to my mind is this from Donald Knuth

Err
and err
and err again
but less
and less
and less

Top comments (1)

Collapse
 
ondrejs profile image
Ondrej

This. This has always been issue, it does not matter if we're talking about npm, pip, gems or other. It seems to me that people somehow got used to fact that FOSS == inherently secure. Which is, of course, false.