nurkiewicz, From https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem
- a #npm package's manifest is published independently from its tarball
manifests are never fully validated against the tarball's contents- the ecosystem has broadly assumed the contents of the manifest & tarball are consistent
- any tools or insights using the public registry are susceptible to exploitation/likely inaccurate
- bad actors can hide malware & scripts in direct or transitive dependencies that go undetected
Add comment