People make this joke often. It's package managers and how loose we are with installing them, n...

kalcode • today at 1:51 PM • 4 replies • view on HN

People make this joke often. It's package managers and how loose we are with installing them, not NPM.

Cargo,PyPi,Nuget,PHP has had these recent too.

It's not just only NPM. It's frequently repeated here just cause of the average bias against Node.

But this problem isn't isolated to NPM.

Replies

The problem is compounded with NPM though thanks to lifecycle scripts: yes, any and all package managers create a risk of supply-chain attack, but NPM makes it dangerous to merely open a project up in an IDE.

➕ show 5 replies

latexr • today at 2:38 PM

> It's frequently repeated here just cause of the average bias against Node.

It’s frequently repeated here because NPM is where it keeps happening over and over and over and over and over and over again.

stingraycharles • today at 2:25 PM

How many package managers allow executing arbitrary code as part of the installation process by default?

➕ show 1 reply

philipwhiuk • today at 3:24 PM

In short, the problem is `npm` not NPM.

alt Hacker News

Replies