Hugh, On Thu, Jan 23, 2020 at 11:08 AM D. Hugh Redelmeier via talk < talk@gtalug.org> wrote:
< https://www.zdnet.com/article/microsoft-spots-malicious-npm-package-stealing...
This article list six cases of malware contributed to npm (the repo for sharing node.js and JavaScript source).
How many undetected cases exist?
I've alway pretended that Linux distros vet their code.
They do, but npm is different. npm is indepdent of the distro itself. And people want to use npm because it gives them the latest and the greatest.
I'm not sure how true that is. Probably the greatest protection is the time delay between contribution and distribution.
I would be wary of this approach. There are a bunch of security fixes, where you probably don't want too long a delay. Part of responsibility also lies on the user to validate the update. With it being open source, and a "volunteer" model, some of that has to be accepted b the user. Dhaval