alt Hacker NewsThe conclusion I'm coming to is that depending on packages which only have a single author is problematic. There are too many ways that packages published by one person can be compromised.
Packages which don't have approval and review by a reliable third party shouldn't be visible by default in a package manager.
Replies
Hackbraten • yesterday at 6:34 PM
How are you supposed to gain collaborators for a project that no one can possibly find?
➕ show 1 reply
x0x0 • yesterday at 7:31 PM
That's a lot of entitlement for things you haven't paid a cent for; not just multiple authors but trusted 3rd parties; approval and review; etc.
➕ show 1 reply
How many of your dependencies have 2nd level dependencies which have even deeper dependencies on ZX Utils, or NX (or left_pad.js)?
(right now I don't know the answer to that for the stuff I'm responsible for, but I'm in the process of researching and setting up and configuring the sort of tools needed to automate that.)