Today's compromised npm package: https://github.com/dominictarr/event-stream/issues/116 only had the malicious code in the minified version.
We don't always think of JS as a compiled language, but reproducible/verifiable compilation would have helped here.
@wilfredh I tried to come up with a silver bullet solution, but it's tricky..
ideally every package usage would include a hash of the exact version it uses, then someone couldn't change the code under everyone's nose. But with this, it's not possible to easily release security patches...
@MightyPork Stupid question: why not? Surely you'd still push the relevant commits to your git repo?
@wilfredh yes, but people using it as a dependency of dependency or deeper will get it with a long delay, if at all
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!