| ▲ | slopinthebag 11 hours ago | |||||||
Come on dude. The issue is the frequency and magnitude of these attacks. Log4Shell was also not a supply chain attack. I looked at the Rust one for example, which is literally just a malicious crate someone uploaded with a similar name as a popular one: > The crate had less than 500 downloads since its first release on 2022-03-25, and no crates on the crates.io registry depended on it. Compared to Axios, which gets 83 million downloads and was directly compromised. What an extremely disingenuous argument lol | ||||||||
| ▲ | waterTanuki 8 hours ago | parent [-] | |||||||
What exactly do you think the argument is? The issues have everything to do with npm as a platform and nothing with JS as a language. You can use JS without npm. Saying you'll escape supply chain attacks by not using JS is like saying you'll be saved from an car crash with a parachute. | ||||||||
| ||||||||