The Node.js Ecosystem Is Chaotic and Insecure
It wasn’t really that dangerous that the code was deleted, that only broke the builds which everyone noticed during their build process and the whole ordeal lasted for like two hours.
Well, it sure is a good thing we learned our lesson from that isn’t it?
We Still Can’t Code
When left-pad hit, developers from other camps were having their laughs at how this tiny piece of code could be a module. Good thing we have learned by now right? Well, no, not at all.
The following wonder of engineering aptly named
is-odd has around 500 000 downloads per day.
Going through the dependents tree, I found hundreds of projects depending on this but more importantly also the big players including Webpack, BrowserSync and Babel depend on it.
Basically this means that if this package was a trojan waiting to do a bait-and-switch in a minor patch then it could theoretically inject code into the developer’s machine but also inject itself into the code generation of whatever prepreprocessors available via require, including Babel and Webpack.
Now that’s a lot of power to give to a package that should just have been a single modulus or bitwise operator call.
But surely this is a freak occurrence right? Actually no, it’s common practice today, the “do not repeat yourself” mantra has been taken a bit too literally where many will consider even writing basic one liners re-inventing the wheel.
is-number package has nearly two million downloads per day.
is-odddepends on this…