By John Gruber
Day One — The journal you actually keep. Start with a chat, end with a journal entry. ⭐ 4.8 (400k)
Ax Sharma, writing for Bleeping Computer:
This month, the developer behind the popular npm package ‘node-ipc’ released sabotaged versions of the library in protest of the ongoing Russo-Ukrainian War. Newer versions of the ‘node-ipc’ package began deleting all data and overwriting all files on developer’s machines, in addition to creating new text files with “peace” messages. [...]
Popular JavaScript front end framework ‘Vue.js’ also uses ‘node-ipc’ as a dependency. But prior to this incident, ‘Vue.js’ did not pin the versions of ‘node-ipc’ dependency to a safe version and was set up to fetch the latest minor and patch versions instead [...]
The way the Node community works, just blindly slurping in other people’s package updates without knowing what’s in them, continues to boggle my mind.
★ Sunday, 20 March 2022