For some reason, NPM is the only ecosystem with substantial issues with supply-chain attacks.

layer8 • today at 6:43 AM • 4 replies • view on HN

Replies

SoKamil • today at 7:09 AM

Popularity

➕ show 1 reply

techterrier • today at 6:54 AM

apart from that python one the other day

indy • today at 7:50 AM

The culture within the npm/js community has mainly been one of using the package manager rather than "re-inventing the wheel", as such the blast radius of a compromised package is much greater

➕ show 2 replies

rvz • today at 11:34 AM

It is because it has the lowest barrier to entry with no quality control. Ever.

This is what happens when there is no barrier to entry and it includes everyone who has no idea what they are doing in charge of the NPM community.

When you see a single package having +25 dependencies, that is a bad practice and increases the risk of supply chain attacks.

Most of them don't even pin their dependencies and I called this out just yesterday on OneCLI. [0]

It just happens that NPM is the worst out of all of the rest of the ecosystems due to the above.

[0] https://news.ycombinator.com/item?id=47577183

alt Hacker News

Replies