| ▲ | HighGoldstein 5 hours ago |
| Mitigate? Stop using random packages. Prevent? Stop using NPM and similar package ecosystems altogether. |
|
| ▲ | cromka 4 hours ago | parent | next [-] |
| That package wasn't any more random than any other NodeJS package. NPM isn't inherently different from, say, Debian repositories, except the latter have oversight and stewardship and scrutiny. That's what's needed and I am seriously surprised NPM is trusted like it is. And I am seriously surprised developers aren't afraid of being sued for shipping malware to people. |
| |
| ▲ | bigfatkitten 4 hours ago | parent [-] | | > NPM isn't inherently different from, say, Debian repositories, except the latter have oversight and stewardship and scrutiny. Which when compared to NPM, which has no meaningful controls of any sort, is an enormous difference. |
|
|
| ▲ | metaltyphoon 5 hours ago | parent | prev | next [-] |
| > and similar package ecosystems altogether Realistically, this is impossible. |
| |
| ▲ | baq 4 hours ago | parent [-] | | at some point having LLMs spit out libraries for you might be safer than actually downloading them. | | |
| ▲ | morshu9001 4 hours ago | parent | next [-] | | This does help. Even before, I was pretty careful about what I used, not just for security but also simplicity. Nowadays it's even easier to LLM-generate utils that one might've installed a dep for in the past. | |
| ▲ | Eduard 4 hours ago | parent | prev | next [-] | | LLMs will happily copy-paste malware or add them as dependencies | |
| ▲ | Muromec 4 hours ago | parent | prev [-] | | this kicks the can down the road until we get supply chain attacks through LLM poisoning, like we already do with propaganda | | |
| ▲ | christophilus 2 hours ago | parent [-] | | Well, he didn’t say vibe code. Presumably, you’d still be reviewing the AI code before committing it. I ran a little experiment recently, and it does take longer than just pulling in npm dependencies, but not that much longer for my particular project: logging, routing, rpc layer with end-to-end static types, database migrations, and so on. It took me a week to build a realistic, albeit simple app with only a few dependencies (Preact and Zod) running on Bun. |
|
|
|
|
| ▲ | anthk 4 hours ago | parent | prev [-] |
| Does this happen with CPAN? At least they seemed to have policies: https://security.metacpan.org/ |
