Node Package Manager, Tribulátio, In Paradiso
Well, looks like there is a bit of bother at npm, what with the security failures of recent import. Read Adam Shostack's well-crafted piece detailing what's broken, and what to do about it (it being fairly obvious once you read his thoughtful post). Enjoy.
"In June, security researcher ChALkeR explained how he "obtained direct publish access to 14% of npm packages (including popular ones). The estimated number of packages potentially reachable through dependency chains is 54%." Then, there was a typo-squatting attack that went undetected for two weeks. And just a few days ago, Ivan Akulov reported on malicious packages in npm." - via Adam Shostack, writing at IANS