My crazy theory is that it’s a hack by someone who had an untouchable devops script with the typo, so made the package to fix the deployment pipeline.
But really, NPM could do a better job of protecting against names like this. The package is harmless (for now), but it’s not a stretch to imagine malware typosquatting.
My crazy theory is that it’s a hack by someone who had an untouchable devops script with the typo, so made the package to fix the deployment pipeline.
But really, NPM could do a better job of protecting against names like this. The package is harmless (for now), but it’s not a stretch to imagine malware typosquatting.
Distressingly possible.
Lodash is super mad that they didn’t just name their library
_
on NPM.“Why not use lodash? You might already have it as a dependency!”
That’d cause a lot of confusion with Underscore though… “which fork am I installing again?”
But it would still be pretty funny :D