The list of affected packages are all under namespaces pretty much nobody uses or are subdependencies of junk libraries nobody should be using if they're serious about writing production code.

I'm getting tired of the anti-Node.js narrative that keeps going around as if other package repos aren't the same or worse.

▲

rlpb 3 hours ago | parent | next [-]

You need to explain how one is supposed to distinguish and exclude "namespaces pretty much nobody uses" when writing code in this ecosystem. My understanding is that a typical Node developer pretty much has no control over what gets pulled in if they want to get anything done at all. If that's the case, then you don't have an argument. If a developer genuinely has no control, then the point is moot.

	▲	sublinear 2 hours ago \| parent [-]
		How is this situation any different from any other ecosystem? I think you don't have an argument here other than that npm is a relatively large public repository. Bad actors and ignorant developers are everywhere else too. There are plenty of npm features to help assess packages and prevent unintended updates, but nothing replaces due diligence.

▲

pxc 7 hours ago | parent | prev | next [-]

The only way a worm like this spreads is usage of the affected packages. The proliferation itself is clear evidence of use.

▲

DJBunnies 7 hours ago | parent | prev | next [-]

Ok, I'll bite; which package repos are "the same or worse" than those of nodejs?

	▲	cluckindan 6 hours ago \| parent [-]
		All of them. The issue at hand is not limited to a specific language or tool or ecosystem, rather it is fundamental to using a package manager to install and update 3rd party libraries.

▲

macNchz 6 hours ago | parent | prev [-]

I see a bunch under major SaaS vendor namespaces that have millions of weekly downloads…?

	▲	sublinear 6 hours ago \| parent [-]
		Popular junk is still junk