Very concerning, so that was what the "impending disaster" was as I first noted. [0] Quite worrying that this happened again to the NPM ecosystem.

Really looking forward to a deeper post-mortem on this.

[0] https://news.ycombinator.com/item?id=46031864

▲

jacquesm 7 hours ago | parent [-]

It will keep happening until someone takes responsibility and starts maintaining the whole of the node eco system. This is probably a viable start-up idea: Node but audited.

▲

venturecruelty 30 minutes ago | parent | next [-]

You don't even need to enshittify Yet Another Service, you just need package maintainers. Debian manages to do this, and I'm guessing they get paid nothing (although, yeah, Amazon and The Goog really ought to chip in a few bucks, considering their respective empires). Unfortunately, it means you can't just YOLO your code into other people's programs anymore.

▲

jacquesm 27 minutes ago | parent [-]

> Unfortunately, it means you can't just YOLO your code into other people's programs anymore.

That's a good thing, in my book.

	▲	venturecruelty 25 minutes ago \| parent [-]
		Oh, agreed 100%. I find it endlessly frustrating that these same conversations happen every single time there's a supply chain attack like this, because nobody wants an _actual_ solution, they want an _easy_ solution that doesn't involve changing anything about how they work. So we just get 500 comments asking if we can solve the Halting Problem, and then everyone forgets until the next breach. It was ever thus.

▲

notpachet 6 hours ago | parent | prev [-]

Maybe we can convince Shopify to hijack NPM too while they're at it.