| ▲ | Cthulhu_ 5 hours ago | |
Node is fine, the issue lies in its package model and culture: * Many dependencies, so much you don't know (and stop caring) what is being used. * Automatic and regular updates, new patch versions for minor changes, and a generally accepted best practice of staying up to date on the latest versions of things, due to trauma from old security breaches or big migrations after not updating for a while. * No review, trust based self-publishing of packages and instant availability * untransparent pre/postinstall scripts The fix is both cultural and technological: * Stop releasing for every fart; once a week is enough, only exception being critical security reasons. * Stop updating immediately whenever there's an update; once a week is enough. * Review your updates * Pay for a package repository that actually reviews changes before making them widely available. Actually I think the organization between NPM should set that up, there's trillion dollar companies using the Node ecosystem who would be willing and able to pay for some security guarantees. | ||
| ▲ | dboreham 4 hours ago | parent [-] | |
Microsoft owns npmjs.com. They could pay for AI analysis of published version deltas, looking for backdoors and malware. | ||