Lots of comments here about the safety of the password implementation, and how you might be able to improve it. I’m not sure that would be a great thing to encourage either.
I really think that in the vast majority of cases, rather than writing a half-hearted example implementation or tolling your own auth, it’s worth the extra dependency to use a reputable library that assists in dealing with password generation and authentication. Especially as someone just getting started with writing server side applications.
Not at all saying that the topic of authentication and proper password storage isn’t worth learning about, it’s just very much not a thing you should be reasonably expected to totally understand before making websites. Completely valid to use the resources at our disposal.
Meta question: do we really need a separate post every time someone puts up a typosquatting package on a public repository? These aren’t instances of the package indexes being compromised, or of accounts of legitimate maintainers being compromised, they’re always just people throwing stuff out there in package names they hope someone will be tricked into installing. Which is just a known part of running a public package index. It would only be newsworthy if the index was refusing to take action when these packages get reported, and nobody’s presented evidence of that, at least not that I’m aware of.
It would also be news if a repository figured out how to significantly reduce the frequency of these compromises.
I wonder why they haven’t added a feature where packages with a name that’s one character off from a package with a certain number of monthly downloads require additional verification measures. Maybe there just aren’t enough resources for that sort of review process?
Crafting a set of automatic rules that a) don’t get in the way of good actors, and b) can’t trivially be avoided by bad actors would be really difficult.
I’d rather hear this news, just in case I have such a package in my dependencies. The techniques are also interesting.
This is something that’s more easily fixed with auditing tools in your projects than with hoping someone will post an article on an aggregator you follow; there’s also the fact that the package will just stop installing because it was yanked by the index.