another npm package with wide deployment backdoor'ed: https://news.ycombinator.com/item?id=18534392 https://blog.bitpay.com/npm-package-vulnerability-copay/
There are two paths to mitigating this stuff, which both should be taken:
- Focus on auditable and reproducible packages. Sadly, mostly impossible with NPM, which is one of the worst language package environments: https://dustycloud.org/blog/javascript-packaging-dystopia/
- Introduce ocap security into the ecosystem. Probably won't happen but MarkM explained how: https://www.youtube.com/watch?v=9Snbss_tawI&list=PLKr-mvz8uvUgybLg53lgXSeLOp4BiwvB2&index=25&t=0s
Friends don't let friends use npm.