undefined | Better HN

0 pointssublinear7mo ago0 comments

The list of affected packages are all under namespaces pretty much nobody uses or are subdependencies of junk libraries nobody should be using if they're serious about writing production code.

I'm getting tired of the anti-Node.js narrative that keeps going around as if other package repos aren't the same or worse.

0 comments

4 comments · 4 top-level

rlpb7mo ago

You need to explain how one is supposed to distinguish and exclude "namespaces pretty much nobody uses" when writing code in this ecosystem. My understanding is that a typical Node developer pretty much has no control over what gets pulled in if they want to get anything done at all. If that's the case, then you don't have an argument. If a developer genuinely has no control, then the point is moot.

1 more reply

pxc7mo ago

The only way a worm like this spreads is usage of the affected packages. The proliferation itself is clear evidence of use.

DJBunnies7mo ago

Ok, I'll bite; which package repos are "the same or worse" than those of nodejs?

1 more reply

macNchz7mo ago

I see a bunch under major SaaS vendor namespaces that have millions of weekly downloads…?

1 more reply

j / k navigate · click thread line to collapse