alt Hacker NewsIt's reasons like this why I refuse to download Node or use anything NPM. Thankfully other languages are better anyways.
Replies
wetpaws • today at 3:40 AM
[dead]
waterTanuki • today at 4:10 AM
Because no other language has ever had supply chain attacks ever, in history. Nope.
https://blog.rust-lang.org/2022/05/10/malicious-crate-rustde...
https://en.wikipedia.org/wiki/Log4Shell
https://blog.pypi.org/posts/2024-12-11-ultralytics-attack-an...
https://about.gitlab.com/blog/gitlab-catches-mongodb-go-modu...
https://www.reversinglabs.com/blog/packagist-php-repo-supply...
➕ show 5 replies
Skipping Node sounds nice. PyPI and RubyGems have had the same mess, and npm gets more headlines because it is huge and churns fast, so you see more fresh landmines and more people stepping on them. Unless you plan to audit every dep and pin versions yourself, you're mostly trading one supply chain mess for another, with a tiny bit of luck and a differnt logo.