Given that most of these kind of attacks are detected relatively quickly, NPM should implement a feature where it doesn't install/upgrade packages newer than 3 days, and just use the previous version.

▲

jowea 4 days ago | parent | next [-]

What if the latest patch is (claiming to be) a security fix? Then that's 3 days of more insecurity.

▲

mcintyre1994 4 days ago | parent | prev | next [-]

Would it be spotted quickly if nobody got the update though? It'd probably just go undetected for 3 days instead. In this case one team spotted it because their CI picked up the new version (https://jdstaerk.substack.com/p/we-just-found-malicious-code...).

	▲	skybrian 4 days ago \| parent [-]
		The question is who picks up the vulnerable version first. With minimal version selection (like Go has), the people with a direct dependency on the vulnerable library go first, after running a command to update their direct dependencies. People with indirect dependencies don’t get the new version until a direct dependency does a release pointing at the vulnerable version, passing it on. Not sure if that would be a better result in the end. It seems like it depends on who has direct dependencies and how much testing they do. Do they pass it on or not?

▲

4 days ago | parent | prev [-]

[deleted]