I am seriously surprised developers trust NodeJS to this extend and aren't afraid of being sued for inadvertently shipping malware to people.

It's got to be a matter of time, doesn't it, before some software company gets in serious trouble because of that. Or, NPM actually implements some serious stewardship process in place.

▲

paularmstrong 4 hours ago | parent [-]

This has nothing to do with NodeJS or NPM. The code is freely distributed, just like any open source repo or package manager may provide. The onus is on those who use it to audit what it actually does.

	▲	cromka 4 hours ago \| parent [-]
		It absolutely does have to do with it. If we continued to ship software libraries like we still do on Linux, then you wouldn't be downloading its releases straight from the source repo, but rather have someone package and maintain them. Except at the granularity of NodeJS packages, it would be nearly impossible to do.