Comment by dec0dedab0de
20 hours ago
The project authors probably don't even know what libraries their project requires, because many of them are transitive dependencies. There is zero chance that they have checked those libraries for supply chain attacks.
This is the best reason for letting users install from npm directly instead of bundling dependencies with the project.
What user is going to check dependencies like that?
I was really saying that if there is a compromised version that gets removed from NPM, then the projects using it do not need to be updated, unless of course they had the compromised version pinned.
Though plenty of orgs centralize dependencies with something like artifactory, and run scans.
If someone detects it is asking a lot.
Users who don't care about security are screwed no matter what you do. The best you can do is empower those users who do care about security.
That cannot work. Nor should it work. However can we make things so that users don't need to care in the first place?
Note that the above probably isn't 100% answerable. However it needs to be the goal. A few people need to care and take care of this for everyone. Few needs to be a large enough to not get overwhelmed by the side of the job.