AskJS
One of my favorites:
" console.log(JSON.stringify(obj, null, 2)) " in JavaScript makes debugging way clearer.
AskJS
After shai halud, I find myself wondering what it is that makes NPM less secure than, say, maven? Based on what I know, stealing publishing credentials could be done to either service using the approach Shai halud did.
The only thing I can think of is as follows:
-
The NPM convention of using version ranges means that publishing a malicious patch to a dependency can more easily be pulled in during the resolution process, even if you're not explicitly adding that dependency.
-
The NPM postinstall mechanism, which was a big part of the attack vector, is a pretty nasty thing.
Anything else that makes NPM more vulnerable than maven and others?
