Npm is the perfect attack vector. Thousands of ill maintained packages with thousands of transitive dependencies.
Email one fed up maintainer, get commit rights, spread the malware.
I don't even completely blame the maintainer, he like many probably couldn't wait to take that weight off his shoulder.
I can't think of an easy solution. A package with millions of weekly installs shouldn't be unmaintained, but how do you solve this issue once and for all?
Why did this happen to NPM and not another system? Partly, NPM is just a big target. But partly because NPM modules are tiny, so there are more modules and maintainers, which means more attack surface area. Create-react-app 2.1.1 installs 1,770 dependencies (excluding dupes).
Npm is the perfect attack vector. Thousands of ill maintained packages with thousands of transitive dependencies.
Email one fed up maintainer, get commit rights, spread the malware.
I don't even completely blame the maintainer, he like many probably couldn't wait to take that weight off his shoulder.
I can't think of an easy solution. A package with millions of weekly installs shouldn't be unmaintained, but how do you solve this issue once and for all?
Be very careful of adding dependencies
It's easier said than done.
For example:
It’s probably much easier said than done to cut this off at the head, but static analysis + web crawling can probably go a lot further.
One side conversation is the dependency mayhem we engage in for reasons that have nothing to do with security.
Lots of reasons to to trend conservative on including dependencies, especially on the client.
Left-pad had a big affect on me.