There are an astronomically high number NPM packages attached to emails on expired domains, it would be trivial to buy those domains, respin up the emails, reset some passwords and burn down the web.

@BrodieOnLinux Aren't the packages signed? Aren't the dependency version hashes locked? I'm not so familiar with NPM but it seems crazy if not.


@sharperguy Good meme, imagine NPM having sensible security practices. The answer is a resounding no, anybody at any time can push a change to an NPM package if they have the account permissions.

· · Web · 1 · 0 · 1

@sharperguy While people using the dependency can lock there project to a specific version a lot of projects are written by insane people and say use the latest version

Sign in to participate in the conversation

Linux geeks doing what Linux geeks do...