this post was submitted on 11 Feb 2024
128 points (95.7% liked)
Programming
17369 readers
450 users here now
Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!
Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.
Hope you enjoy the instance!
Rules
Rules
- Follow the programming.dev instance rules
- Keep content related to programming in some way
- If you're posting long videos try to add in some form of tldr for those who don't want to watch videos
Wormhole
Follow the wormhole through a path of communities [email protected]
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I know it's fun to mock
npm
, but it any package registry secure from something like this? Is there any public package registry that reviews all its packages?CC BY-NC-SA 4.0
It's less of an issue of reviewing all packages than it is that this causes DOS in the first place. It's pretty damn stupid that you can't unpublish packages others depend on, and the whole recursive dependencies thing makes the situation a lot worse than it otherwise would be. Neither of these are issues with other package registries.
One problem that's particular to node is that you can't unpublish packages if another package depends on them. As it says in the article, that means that no one can unpublish their packages, including the everyone package since someone apparently depends on that.