






















Yeah, but this can be an issue with pretty much any language package repo. It's kind of a real problem, and maybe borderline insane to install the latest stuff from there on any computer with important data. Maybe a best practice is to install the latest version that has been out longer than, say, 2 months?
Posted Jun 1, 2026 18:07 UTC (Mon) by ibukanov (subscriber, #3942) [Link]
It was specifically JS that ended up with huge number of tiny packages vastly increasing the chance of compromise. I do not think it was just language popularity but specifically language features like tiny standard library and the way external modules are loaded that lead to this. Plus NPM made it too easy in retrospect to create and submit a package.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。