So that’s the baseline we actually have: by using a package manager you are expressing a certain level of trust in the entire system.Anyone who uses npm is automatically allowing usually-unreviewed arbitrary remote code execution.2734Kat MarchánPeter DotchevFollowAug 24, 2017 · 1 min readwith 0.5M packages this is quite a lot of trust