Another day, another this could totally happen to anyone but just happened to hit npm story.
True enough, although npm does happen to be in a place of significant usage/consequence in the current web ecosystem.
Would the scale have been the same though? This particular package is pretty popular by itself, but I’d bet a big chunk of its 2M+ weekly downloads comes from the fact that it’s a dependency for popular packages such as babel and webpack. Why on earth would I need to download a linter in order to run babel? What kind of dependency tree is that?
Even if you try to keep your dependencies as slim as possible, it’s absolutely unreasonable to expect to be able to audit the thousands of dependencies a single dependency may have, with all of them having the same permissions as the code I write to run arbitrary code on my machine. Are these really possible elsewhere?
Reminds me of this piece.
Same as https://github.com/eslint/eslint-scope/issues/39