Joe Rosensteel 🏳️🌈One of the best things about npm is how efficient it is for iterating on malware distribution. https://mjtsai.com/blog/2026/04/01/axios-compromised-on-npm/
David Anson@joesteel Is npm bad because it’s badly designed? Or is it bad simply because it is very popular? Is there an analogue that is less bad?
@DavidAnson I am not A Real Programmer, but npm has a soup of dependencies, which make the odds of getting a compromised package into someone’s machine that has access to auth and distribute other packages high. They also run install time scripts, which is how all these mini-shai-hulud variants keep happening, instead of other install methods like pip, cargo, etc. GitHub credential is definitely something everyone is vulnerable to, but it is much easier to deploy malware here. That’s my 2 cents
@joesteel I don’t like install-time scripts, either, so I disable them. However, as soon as a dependency is referenced as part of app development or testing, any malicious code it has could run, so I’m not sure this is a meaningful security difference. Your point about the large number of dependencies feels much more relevant to me. However, I’m not sure that’s a design problem with npm as much as a culture in the JavaScript ecosystem.
@joesteel As someone who uses npm, I’m always curious if people pick on it just because of anti-front-end snobbery or if their package management system is legitimately superior. :)
@joesteel (In case it’s not obvious, I’m not accusing YOU of being a snob here. Your original point is perfectly valid!)