• onlinepersona
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    2
    ·
    10 months ago

    I know it’s fun to mock npm, but it any package registry secure from something like this? Is there any public package registry that reviews all its packages?

    CC BY-NC-SA 4.0

    • expr
      link
      fedilink
      arrow-up
      6
      ·
      10 months ago

      It’s less of an issue of reviewing all packages than it is that this causes DOS in the first place. It’s pretty damn stupid that you can’t unpublish packages others depend on, and the whole recursive dependencies thing makes the situation a lot worse than it otherwise would be. Neither of these are issues with other package registries.

    • zygo_histo_morpheus
      link
      fedilink
      arrow-up
      4
      ·
      10 months ago

      One problem that’s particular to node is that you can’t unpublish packages if another package depends on them. As it says in the article, that means that no one can unpublish their packages, including the everyone package since someone apparently depends on that.