The Node.js Ecosystem Is Chaotic and Insecure
It seems like only yesterday we had the “left-pad” fiasco where Azer Koçulu ended up pulling his packages after a name dispute.
It wasn’t really that dangerous that the code was deleted, that only broke the builds which everyone noticed during their build process and the whole ordeal lasted for like two hours.
It was dangerous because that it was a small redundant package that no one would ever actually bother to audit before deploying, so anyone could have jumped in and published a package in it’s place with the same functionality but also stick some malicious code into it and get a free ride to get deployed essentially anywhere that ran JavaScript.
Well, it sure is a good thing we learned our lesson from that isn’t it?
We Still Can’t Code
When left-pad hit, developers from other camps were having their laughs at how this tiny piece of code could be a module. Good thing we have learned by now right? Well, no, not at all.
The following wonder of engineering aptly named is-odd has around 500 000 downloads per day.
