Hmm, sure, I can agree that the position is extremist, I still don't agree that 1 (or some) extremist positions makes the current people in power extremist. Or at least, maybe they are, but I think most of the alternatives are more extremist.
Not really, app sec companies scan npm constantly for updated packages to check for malware. Many attacks get caught that way.
e.g. the debug + chalk supply chain attack was caught like this: https://www.aikido.dev/blog/npm-debug-and-chalk-packages-com...
Again, I disagree, I wouldn't call it extremist. It's vile and wrong, but people all over the political spectrum are in favour of this. there's a difference between something being bad or self-serving, and something being extremist. Labelling everything as extremist does not help anyone, especially today when everyone is already highly divided.
No way I'm getting into the restrict state powers discussion as that is highly complex and not something that can properly be discussed on an internet forum.
There's multiple security firms by now that constantly scan updated npm packages for malware. Obviously those companies can only do this after a new package has been published.
Npm could add this as an automated step during publishing.
Sure, there's a manual review needed for anything flagged, but you can easily fix this as well by having smth like a trusted contributor program where let's say you'd need 5 votes to overrule a package being flagged as malware
their actions are clearly not extremist, absolutely not perfect and not always equally democratic, but not extremist or violent like the actual extremists...
on the other hand, the previous supply chain attack was found by automated tech.
Also, if MS would be so kind as to just run similar scans at the time a package is updated instead of after the package is updated (which is the only way the automated tech can run if npm doesn't integrate it), then malware like this would be way less common.
Yes to the you guys can detect it in my codebase, but it's generally not required for someone to report a compromised package, we do also discover them ourselves quite fast due to automated scans of npm package updates. This is how aikido was first to discover the previous supply chain hack.
I'm so sick of people saying this.
If you use js for any non-tiny project, you'll have a bunch of packages.
Due to how modules work in js, you'll have many, many sub dependencies.
Nobody has time to review every package they'll use, especially when not all sub dependencies have fully pinned versions.
If you have time to review every package, every time it updates, you might as well just write it yourself.
Yes, this is a problem, no reviewing every dependency is not the damn solution
I think it's quite good, there's a sense of urgency, but it's also not "immediately change it!"
they gave more than a day, and stated that it would be a temporary lock. Feel like this one really hit the spot on that aspect.
You should still never click a link in an email like this, but the urgency factor is well done here