31 points | by q3k a day ago ago
5 comments
More and more, I am thinking all my local development environments for Node / JavaScript projects need to be setup in a sandboxed VM.
The two listed collaborators of the debug package have over 700 packages published collectively, many of them with millions of weekly downloads. What could possibly go wrong when their token is compromised?
GH issue: https://github.com/debug-js/debug/issues/1005
A blog post: https://www.aikido.dev/blog/npm-debug-and-chalk-packages-com... (https://news.ycombinator.com/item?id=45169657)
is-arrayish lmao
More and more, I am thinking all my local development environments for Node / JavaScript projects need to be setup in a sandboxed VM.
The two listed collaborators of the debug package have over 700 packages published collectively, many of them with millions of weekly downloads. What could possibly go wrong when their token is compromised?
GH issue: https://github.com/debug-js/debug/issues/1005
A blog post: https://www.aikido.dev/blog/npm-debug-and-chalk-packages-com... (https://news.ycombinator.com/item?id=45169657)
is-arrayish lmao