Nearly 2000 packages affected now.

I’m starting to become sceptical of pacakge managers as a concept.

  • invalidusernamelol [he/him]@hexbear.net
    link
    fedilink
    English
    arrow-up
    13
    ·
    22 days ago

    PyPi kinda has this issue too. The typo squatting epidemic has been discussed a few times.

    I haven’t had many issues with PyPi, but any package manager is just running someone else’s code on your computer. You really should be reading the code, checking the sources, and validating the binaries with any officially supplied checksums.

    The scariest situation is when someone has a dev dependency, that package is squatted or compromised, and an unpinned supply chain attack is carried out like what happens with NPM ever other day.

    You can even see the discussions in that thread about the risk of a squatted package vendoring the real package or just pulling it in as a dependency during install, and sitting in the middle stealing whatever passes through.