shachaf · Jan 10, 2020 · 3:01 AM UTC

shachaf

shachaf @shachaf

10 Jan 2020

When you (in Facebook's words) "Set up a modern web app by running one command", this is what happens: npm.anvaka.com/#/view/2d/rea…

110

kiki says sleep, paralysis demon · Jan 10, 2020 · 1:16 PM UTC

kiki says sleep, paralysis demon @kattkieru

10 Jan 2020

The great LeftPad crash of 2016 proved that this much inter-connectivity has its detriments.

Paul Butler · Jan 10, 2020 · 3:16 PM UTC

Paul Butler @paulgb

10 Jan 2020

And that wasn't even done with malintent. Imagine the attack surface an actual bad actor has access to.

Paul Butler · Jan 10, 2020 · 3:27 PM UTC

Paul Butler @paulgb

10 Jan 2020

I think there are some ways to mitigate this, but all it takes is one junior developer adding a date picker component that includes a key logger and all bets are off. I don't think it will hit FAANG, it will hit somewhere with worse code quality control.

Stefan Tilkov · Jan 10, 2020 · 6:13 PM UTC

Stefan Tilkov · Jan 10, 2020 · 6:13 PM UTC

Stefan Tilkov @stilkov

10 Jan 2020

I think practically all platforms have the problem of unmanaged, unaudited external dependencies. Node and NPM are just so particularly easy to make fun off

Jan 10, 2020 · 6:13 PM UTC

Paul Butler · Jan 10, 2020 · 6:44 PM UTC

Paul Butler @paulgb

10 Jan 2020

Replying to @stilkov @mikekelly85 @kattkieru @shachaf

In general I think everyone still has an outdated "if it's in a repo I can trust it" attitude, but npm is the biggest package manager of the GitHub free-love era and so embraces it even more than the others.