Follow

installed a package with npm today.. it went like this

first npm warned about 2 known security holes in libraries, but installed them anyway. One was a 2017 code execution vulnerability in some kind of eval library, fixed in a newer version but the dependency had not been updated. Yikes.

Then npm crashed. I restarted it.

Then a package used a postinstall script to display an advertisement.

Then a package used a postinstall script to download a binary blob.

fin

. @joeyh much of the distaste for JavaScript and node stemm(ed|s) from the rank immaturity of the culture.

Sign in to participate in the conversation
Octodon

Octodon is a nice general purpose instance. more