I just noticed "foreach" on npm is controlled by a single maintainer.
I also noticed they let their personal email domain expire, so I bought it before someone else did.
I now control "foreach" on NPM, and the 36826 projects that depend on it.
@wolf480pl Preventing other people from using it is enough. That and using it as a chance to educate pepole on why thy can't trust NPM.
If someone asks me nicely with a rubber hose, I will be obliged to hand over access.
There is a reason the name of my company is "Distrust"
Distrust should lead to Distributed Trust.
Demand multisig code reviews, and multisig reproducibly built releases for anything that matters.
@email@example.com foreach sounds like a package that you shouldnt need with Array.prototype.forEach
@Johann150 yes, that's true. It made it into ECMAScript 5.1
Now if you've for _some_ weird reason a system that requries some _older_ build target you get a polyfill.
That was provided by packages like this and should be helluvEOL nowadays. There are better suited and highly automated polyfills.
Anyway, the issue is very real. This happened before and will happen again.
It's also the very same for most language depending package managers out there and this is why version pinning is a thing.
@RyunoKi …and browser extensions and game mods. Heck, whatever allows to regain access to an account via mail basically.
No 2FA on your Google Dev account? Too bad 🙃
@valhalla @clacke @federico3 @bekopharm @Sandra @lrvick @technicallypossible @ruffni @Johann150 @RyunoKi also, since with the first layer you have to re-audit with every update, you may as well vendor that dependency (as in, put a copy of a specific version in your repo), so arguably github could be enough as the first layer
There's a series of articles starting from:
Most of the time you just need an ephemeral run akin to running chroot.
I was not-so-subtly suggesting, rather, that having the power to specifically exclude certain classes of genocidal business from using a large swathe of NPM stuff for their websites or back-ends would be.. tempting.
@lrvick I wonder if anyone ever tried monetization...ya know, show a popup ad everytime someone enters a foreach section.
also, explored it & very quickly went from "why does js even need a foreach package" to "oh, it's only 21 lines" :)
@patterfloof @lrvick I'm tertibly amused when I see node devs adding dependencies for stuff like this, meanwhile my "fun" project has a custom json parser/emitter with entity inheritance, a reimplementation of gettext, a curses-to-windows-terminal API adapter, and internal implementations of several c++ std types.
@lrvick if the email wasn't public it'll help a bit. I tend to register to various platforms with my private email address and share public one with everybody else unfortunately many platforms leak your email somewhere.
The original server operated by the Mastodon gGmbH non-profit