From <https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem>... - Node.js

nurkiewicz, 2 months ago

From https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem

a #npm package's manifest is published independently from its tarball
manifests are never fully validated against the tarball's contents

the ecosystem has broadly assumed the contents of the manifest & tarball are consistent

any tools or insights using the public registry are susceptible to exploitation/likely inaccurate

bad actors can hide malware & scripts in direct or transitive dependencies that go undetected

#JavaScript #NodeJS

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

+ jaandrle

Image

Image alternative text

Federation

Status:

On | Off

Instances:

/m/node

Threads (2)

Microblog (245)

All Content

People

Magazines

Collections

Thread

nurkiewicz

@nurkiewicz@fosstodon.org

Added: 2 months ago
Online: -
Boosts: 1

Magazine

Node.js

@node@kbin.social

All things related to node.js and server-side JavaScript runtimes

Rules

Requirements

be excellent to each other: treat each other with respect and kindness
be relevant: post things that might be of interest to those working with or learning node and adjacent technologies
leave discussions better than you found them: comment on items that you have something about, use the upvote button to indicate that you think a particular item is valuable even if you don’t agree with it

Recommendations

challenge yourself to upvote items when you disagree with its content, use the downvote button to signal that the discussion is bad poor or irrelevant
try your best to label content, especially OC, with relevant tags (help, opinion, etc)
embrace lists of three even if you have to make a filler item sometimes

Created: 11 months ago
Owner: samt
Subscribers: 26
Online: -

Moderators

samt

Active people

I created my first node module, it's publicly available, and it's usefulness is low. Regardless, here it is: https://www.npmjs.com/package/node-neb-muz....

1 month ago to random

I f*cking hate #Javascript and I hate #Node even more! All day I've been trying to get the latest version of #Strapi to build ... error after error after error and now, at random it's just decided to work after a whole wasted Sunday!

2 months ago to javascript

I’m looking for work! If you’re hiring and I seem like a fit, please reach out....

5 months ago to django

I am generally happy with programming, doesn't matter what language or stack. But compared to, say, PHP (not to mention Java), doing backend #Node kind of annoys me because of errors and debugging. I mean, I get (generally) very descriptive error messages and can debug, right into my IDE, in Java. In PHP, well, you can be bold...

4 months ago to random

Add comment