undefined | Better HN

0 pointschristophilus8y ago0 comments

It does store them locally. I think the problems here are:

- The missing packages can be replaced by someone who wasn't the original package author (e.g. a malicious hacker) - It's not easy to catch this ^^^ because NPM doesn't have support for signing versions in your project's dependency configuration... (I bet it will after this.) - Almost every modern website has a dependency on NPM somewhere in their build chain - NPM being down means loads of sites can't deploy properly

So yeah. This may be a really big deal.

0 comments

1 comments · 1 top-level

krapp8y ago

It might be easier to catch if packages were namespaced by author and package name, or even directly by URL, the way Composer does with PHP dependencies. It's easier to spoof 'infinity-agent' than 'floatdrop/infinity-agent' or 'github:floatdrop/infinity-agent'

j / k navigate · click thread line to collapse