# Why Javascript is a bomb waiting to explode.



## mark_j (Mar 20, 2022)

Once again something happens to NPM that causes very real issues.
Forgetting about the politics or humanity of the cause, this is just another reason why things like javascript that pull in code without even an attempt to vett it are a potential catastrophe.
Too melodramatic? Maybe, but P.O.C.  for cpu exploits are made via this evil language called javascript.
Read more Here


----------



## mer (Mar 20, 2022)

No disagreements from me.  It does show a good point of Open Source:  one can look at the code.  But the downside is: one has to have a desire to look at the code and the ability to recognize malicious code.


----------



## Phishfry (Mar 20, 2022)

That one guy that deserves a polonium milkshake. Protestware? Destroys open source reputation in one swoop.


----------



## kpedersen (Mar 20, 2022)

Eeek, it can get pretty ugly. Though admittedly, I do tend to see it less of a flaw of Javascript (or even the web) and more that beginners are specifically attracted to it.

No-one should be dragging in dependencies like this. They should use a specific (known) version rather than treadmilling onto the latest all the time! That is a very amateur thing to do and in the web specifically, I see it all the time.

I really dislike these language specific package stores (NPM, PIP, crates.io, VcPkg, etc). They just allow amateurs to rack up so much technical debt!


----------



## Alain De Vos (Mar 20, 2022)

Like the number lines of code of the Chromium browser ...
Is this even verifiable seen the hugeness.


----------



## mer (Mar 20, 2022)

A lot of places that I've worked at/with, will actually set up local clones of repos they use.  They can have better control over versions and "what's in their product".  You still have to vet the code you are using, but at least you are not blindly pulling things in.

Alain De Vos "Maybe".  Like the old jokes about eating an elephant, one bite at a time.  The problem is that by the time you are done verifying "this" version of Chrome, how much time has passed, how many versions behind are you from the current one.


----------



## mark_j (Mar 20, 2022)

kpedersen said:


> Eeek, it can get pretty ugly. Though admittedly, I do tend to see it less of a flaw of Javascript (or even the web) and more that beginners are specifically attracted to it.


Yes, true.

We strangely decry M$ using telemetry (glorified spyware), rightfully so, we update FreeBSD with the latest patches, be ever diligent with our firewalls, our auditing, our MAC etc etc and yet don't give a second thought to the biggest security threat: a browser running javascript.

Perhaps you're right, but for the reasons I wrote above, it has a powerful position in the software stack and yet is the most insecure garbage I can think. More and more people adopt it, the browser, as the future in computing. Sheez, that future is bleak.



kpedersen said:


> No-one should be dragging in dependencies like this. They should use a specific (known) version rather than treadmilling onto the latest all the time! That is a very amateur thing to do and in the web specifically, I see it all the time.
> 
> I really dislike these language specific package stores (NPM, PIP, crates.io, VcPkg, etc). They just allow amateurs to rack up so much technical debt!



No one should, but the problem is everyone does. They use other's code, which contains other code, that contains other code and so on just so they can do rot13. (Just an example). It's almost theft,  because to me this is not open source, it's open exploitation. Maybe they're truly the same?

I remember years ago, the advent of C++ and the sharing of code and people/nerds being all giddy over it. Some were anticipating large code banks where you could draw in code to perform X function and Y function and save time & *money*.. Glorious they said. Me, being perhaps too cynical, said in a sarcastic way: "What could possibly go wrong with that methodology". Along comes javascript.

I'm not sure it can be solved short of all browsers should be run in a sandbox, always, but that largely only stops exploits.

Don't get me wrong, sharing code is good, but ffs know what it does or don't include it. This type of system like NPM does the exact opposite.

Yes these repositories are an evil unto themselves.


----------



## mark_j (Mar 20, 2022)

Alain De Vos said:


> Like the number lines of code of the Chromium browser ...
> Is this even verifiable seen the hugeness.


True, but, you're unlikely to include chromium in some software you write.
As I've said, code sharing is not evil, and most code is great etc, but if you willingly include software in your own software without understanding it, then you're a poor programmer (literally and figuratively).

It's not inconceivable something similar could happen with a c++ boost library or similar, but this is not the same as NPM  where software includes software includes software drawn from NPM and the programmers don't know or care.


----------



## Vull (Mar 20, 2022)

Warning Will Robinson! Warning! According to my Firefox Browser Console, we were attacked by multiple Javascript errors while loading this hazardous FreeBSD forums thread! Warning! Warning! Warning!


----------



## obsigna (Mar 20, 2022)

Vull said:


> Warning Will Robinson! Warning! According to my Firefox Browser Console, we were attacked by multiple Javascript errors while loading this hazardous FreeBSD forums thread! Warning! Warning! Warning!
> 
> View attachment 13425


Since when, is "200 OK" an error?


----------



## Phishfry (Mar 20, 2022)

Calling this protestware is not appropriate when I look at his work. By obsuficating his evil he really crossed a line.
obsigna was mentioning how he was going to disable downloads for his software for certain Geo IP's.
That seems like a reasonable protest compared to deleting files.

I absolutely hate what is going on in Ukraine. 
But when you give your work to 'the license' there is no turning back. Regardless of your feelings.


----------



## obsigna (Mar 20, 2022)

JavaScript is a tool, and since the first primates started using tools, there were some individuals who were using it wrong.

This example may well be an urban legend (I heard it more than 25 years ago), anyway it fits the message. A vacuum cleaner is not a bomb waiting to explode, only because an individual used it to suck wasps out of their nest into it, and in order to get the wasps finally killed sucked natural gas into the running cleaner. Well the wasps became killed, but other severe casualties happened as well.

EDIT:

Node.js and NPM seem to behave somehow like a vacuum cleaner, sucking among some wanted also other things and wasps from the net. That is another story, but that is not inherently a problem of JavaScript. There is a long list of similar incidents, where some language has been used to load malicious code from anywhere.

Needless to say, that I use pure JavaScript, and my JS code does not even load other JS code from my sites. I require my JS to be atomic and self-contained.


----------



## Phishfry (Mar 20, 2022)

My milkshake comment was vengeful but it is a serious offense against some very serious people.
I apologize for my demeanor.


----------



## Vull (Mar 20, 2022)

obsigna said:


> Since when, is "200 OK" an error?


Oops, sorry! Wrong screenshot.


----------



## ct85711 (Mar 20, 2022)

The bad part is the vulnerability alert in NPM is going to be ignored by a majority of users; because how NPM is setup and it's policy on fixing it.  For those that haven't played with NPM much, it has the good intention of warning people about known vulnerabilities in packages.  The problem is that the tool to fix it, does it the completely wrong way.  The policy on npm audit tool (to also fix vulnerabilities), is first switch to a different version.  The issue is, npm also has a policy of every version is a hard stop; there is no such thing of an upgrade beyond that major (and in a lot of cases minor) version, just the revision.  THE only way to switch to a new version, is it manually go into the file(s) and by hand change all the versions to a new version (including all the dependencies).  Now, what the npm audit tool does, is from those 2 policies it does what it can, it switches to a new version; an older version...  in a lot of cases, all the way down to 1.0.0 or 0.0.1.

Another issue npm audit tool has, is that it can't differentiate who has the dependency; so it reports that every tool in the entire dependency chain has the vulnerability.  So it literally gets into the boy that cried wolf with a figurative blowhorn and everyone gets on and cries out on their blowhorn when they hear it.  So in the end, npm got everyone so numb to vulnerability reports that they don't listen to them (as who can tell which package in the entire dependency chain has the vulnerability).  Even if someone wants to do something about it, how can they do anything about something that is 3+ layers deep (even a new react project comes with several vulnerabilities from the get go; one that is several layers deep that is abandoned but is widely used by everything).


----------



## Crivens (Mar 20, 2022)

mark_j said:


> True, but, you're unlikely to include chromium in some software you write.


*cough* Teams. Twice. *cough*


----------



## drhowarddrfine (Mar 20, 2022)

obsigna pointed out what I was going to write. The problems we hear about are problems intentionally written by bad actors and not a problem with javascript. It's also a problem when there are vulnerabilities that js has access to.

At my company, we wrote all our own software, but credit card providers required us to use node and their software. The good thing is that, if something went wrong, it was their problem, not ours. With other things, we might use someone else's library if we were in a rush but always eventually replaced it with our own. Not only for security's sake but for our own. WE were in charge of fixing bugs and WE made the software do we what WE wanted and we didn't have to wait around for anyone else.


----------



## hardworkingnewbie (Mar 20, 2022)

Crivens said:


> *cough* Teams. Twice. *cough*


Which is based on the Electron framework, so it's actually worse than that.

For me, NPM is not the problem, because there are similar tools outside for other languages as well, like cargo or pip.

For me the problem around NPM is

a) the way it is being managed - maybe it has improved since Microsoft bought it? I don't know... and
b) the lazyness and lack of skill of the average Node.JS developer.

I mean we are talking here about people who are too dumb to program 1+1 on their own. Maybe not that dumb, but dumb enough to program many trivial tasks a programmer of another programming language is able to do on his own. Otherwise it cannot be explained how a simple left padding function became one of the most downloaded packages in that eco system with around 2.5 millions downloads per month, and when it was pulled for 10 minutes broke the whole eco system. 

And since Node.JS developers are mostly too lazy to program basic stuff on their own, their programs are most of the time real dependency hells which nobody can evaluate for security... at least quickly.


----------



## shkhln (Mar 20, 2022)

npm is _definitely_ a problem, because it's explicitly built with semver in mind and semver encourages micro-libraries.


----------



## mark_j (Mar 20, 2022)

obsigna said:


> [...]
> 
> Needless to say, that I use pure JavaScript, and my JS code does not even load other JS code from my sites. I require my JS to be atomic and self-contained.



If only more people were like you! 

However, the majority of javascript "programmers" seem to be lazy, unassuming programmers with zero knowledge of the ramifications of using a system of blind inclusion of source code.


----------



## ct85711 (Mar 20, 2022)

shkhln said:


> npm is _definitely_ a problem, because it's explicitly built with semver in mind and semver encourages micro-libraries.


I don't think this is an npm/JS limited issue; but more of the mentality/culture around package managers in pretty much ANY/ALL languages.  While I agree in semver being the key issue, laziness really ends up being the ugly head that always pops its head.  Doesn't help that laziness is also helping the spread of semver and micro-libraries because of "not my issue" mentality since it is in some library and not in their code.

Doesn't help like rust is going full speed down the path npm is going.  Even when I checked on rust's community's views on the dependency hell; they don't consider it a problem because everything is super small (aka micro-libraries) and if they need to, try breaking dependencies into "features" and ignore it until some other time.


----------



## mark_j (Mar 20, 2022)

Phishfry said:


> Calling this protestware is not appropriate when I look at his work. By obsuficating his evil he really crossed a line.
> obsigna was mentioning how he was going to disable downloads for his software for certain Geo IP's.
> That seems like a reasonable protest compared to deleting files.
> 
> ...


I sort of agree and disagree.
First, yes he does cross the line, but, second, it is HIS software. He can put whatever he wants into it. He can put malware, virus, trojan or whatever. He deals with those consequences, but ultimately it is his software.
It's the idiots that blindly use this stuff that are the true problem and the languages that facilitate it.


----------



## obsigna (Mar 20, 2022)

Phishfry said:


> Calling this protestware is not appropriate when I look at his work. By obsuficating his evil he really crossed a line.
> obsigna was mentioning how he was going to disable downloads for his software for certain Geo IP's.
> That seems like a reasonable protest compared to deleting files.
> 
> ...


Born in a strongly catholic family, I was taught, that vengeance is one of the most evil attitudes and we must avoid this by all means.
We may hate individuals (in the form of strong discomfort with him/her), we must not take retributive actions.

We must not hate a whole society, only because of the maldiction of some individuals.

For example, of course I hate Vladimir Putin, but I don’t have a death wish for him. It comes even not as far as what Richard Stallman said about Steve Jobs. For me it would be totally sufficient if Putin together with Lawrow would end a perhaps long lasting life in exile like Napoleon on Saint Helena. For me Putin may have it a tad more comfortable and he may even ask his best friend Assad for 72 virgins.

That said, I don’t hate the Russian people. As soon as Russia stops the war, I will stop my personal sanctions (geo blocking) that you mentioned, and I am sure the US, EU, UK and all the other allies all over the world will stop the sanctions as well and will seek normal relationships for the benefits of everybody.

BTW: The last login of our friend Andriy from Ukraine who discussed with us the LCD issues was on Feb 23, 2022. One day before the invasion. I hope he is doing well.


----------



## Alain De Vos (Mar 21, 2022)

Note , chromium browser contains 2.300.000 code lines of javascript.


----------



## mark_j (Mar 25, 2022)

And note it's also the source of 0-day exploits involving javascript and bugs: CVE-2022-0609
And.. it's still being exploited in the wild today, even. 
(I wanted to link to the CVE, specifically Microsoft's take on it, but alas you needed to enable javascript to view it. Anyone see the lunacy in that? )


----------



## drhowarddrfine (Mar 25, 2022)

JavaScript is the lingua franca of the web. It's not going anywhere. Turning it off is not going to gain you anything. You are not likely to ever suffer an exploit from it any more than any other exploit from any other language, software or system.


----------



## kpedersen (Mar 25, 2022)

mark_j said:


> but alas you needed to enable javascript to view it. Anyone see the lunacy in that? )


I have a cesspit PC just for this very occasion. Sometimes it is fun just to see how gross it gets and imagine that some people actually use something like this as their daily driver!

Either way, VMs or Jails pretty much exist to contain the crap that this industry churns out. It is frustrating but it won't go any time soon. It is for us to have fun trying to avoid


----------



## Vull (Mar 26, 2022)

The bigger problem on this site isn't javascript, it's all these ponderous lines of jive-a-script.


----------



## blind0ne (Mar 26, 2022)

mark_j said:


> If only more people were like you!
> 
> However, the majority of javascript "programmers" seem to be lazy, unassuming programmers with zero knowledge of the ramifications of using a system of blind inclusion of source code.


Yep lets make the PC's out of rocks and fire, out of scratch. And check every single line of code. Russians taking this "task" right now.


----------



## kpedersen (Mar 26, 2022)

blind0ne said:


> Yep lets make the PC's out of rocks and fire, out of scratch. And check every single line of code. Russians taking this "task" right now.


In all fairness this is a good thing and I wish it didn't take wars to encourage companies to do so.
Once Russia stops their nonsense and this all blows over, I do hope some of this re-implementation and audit work gets shared.


----------



## mark_j (Mar 27, 2022)

drhowarddrfine said:


> JavaScript is the lingua franca of the web. It's not going anywhere. Turning it off is not going to gain you anything. You are not likely to ever suffer an exploit from it any more than any other exploit from any other language, software or system.


I'm not sure facts back up your statement. In fact, I know it's totally wrong.
Javascript seems to be the single biggest vector for exploits from CPU cache poisoning to ransomware.
A little example: https://github.com/HynekPetrak/javascript-malware-collection
Just do a search in your favourite, non-javascript requiring search engine for javascript malware and tell me it is "any more than any other exploit".

I'll just keep disabling/avoiding javascript and/or mitigating it with sandboxing while you can keep using it safe in the knowledge the odds are with you.


----------



## mark_j (Mar 27, 2022)

blind0ne said:


> Yep lets make the PC's out of rocks and fire, out of scratch. And check every single line of code. Russians taking this "task" right now.


I didn't state that. However, it's one thing to audit code line by line, it's another to blindly insert code into your own code without knowing what it does and why it does it. Trust is something, blind trust is stupidity.

When an author of some javascript doesn't even know they're using half the junk in NPM, that says a lot about the standards kept.


----------



## drhowarddrfine (Mar 27, 2022)

mark_j Since Javascript is the only programming language that runs in the browser, it's hard to find another that would cause issues. Note that the problem in your example is not javascript--it's ransomware and how it got on their system.


----------



## mark_j (Mar 27, 2022)

Javacsript is the vector. There are other 'languages': css is one.


----------



## drhowarddrfine (Mar 27, 2022)

mark_j  CSS is not a programming language. There are no native programming languages in the browser except for javascript


----------



## kpedersen (Mar 27, 2022)

mark_j said:


> Javacsript is the vector. There are other 'languages': css is one.





drhowarddrfine said:


> mark_j  CSS is not a programming language. There are no native programming languages in the browser except for javascript


I suppose it doesn't really need to be a programming language that can be a vector.

I'm sure we all recall in the earlier days that compromised images could be an attack vector too (overflowing the decoder and getting it to execute a payload). However luckily in time the image decoders were fixed and most importantly, images are finite in that their complexity of being able to load them becomes complete.

Whereas Javascript is endless; rather than fixing bugs, the developers just keep piling on more vulnerable shite. And if that is even becoming reasonably complete, chuck in a bytecode generator that runs instructions on the GPU (WebGL/GLSL|ES) and after that chuck in a general purpose bytecode interpreter (Web Assembly). And after that, connect it all tightly to the underlying system (WebUSB).

Surely it should be reaching critical mass by now where technical / open-source communities are targeting / supporting more sane browsers like Netsurf? It just doesn't seem to be happening. These very forums are a sad example of that.


----------



## hardworkingnewbie (May 10, 2022)

New NPM fun, this time: foreach! 















						Lance R. Vick (@lrvick@mastodon.social)
					

I just noticed "foreach" on npm is controlled by a single maintainer.  I also noticed they let their  personal email domain expire, so I bought it before someone else did.  I now control "foreach" on NPM, and the 36826 projects that depend on it.




					mastodon.social


----------



## fryshke (May 10, 2022)

Don't other languages have same problems in their package managers?


----------



## kpedersen (May 11, 2022)

fryshke said:


> Don't other languages have same problems in their package managers?


The culture is particularly bad with Node.js / Javascript communities. Here the general trend is towards millions of "microdependencies".

I always get annoyed by Emscripten as an example. 99% of the project is written in C++ (the main Clang-based compiler) with pretty much zero dependencies outside of the system. Then for the final 1% the developers chose to use Node.js.

As you can see by the NPM package spec, this alone drags in hundreds of dependencies for fairly trivial things:

https://github.com/emscripten-core/emscripten/blob/main/package-lock.json

Python's PIP, Perl's CPAN and Rust's Crates.io have a similar tendency. Much of it is bindings to C libraries meaning that these languages will *always* require more dependencies than C and C++.


----------



## hardworkingnewbie (May 11, 2022)

For me the problem between NPM and let's say PIP is that NPM programmers are really, really lazy and dumb. While older repository systems mostly are filled with modules to cover a certain task, e.g. parse an XML file, have a small embedded web server, correctly validate an email adress NPM has these of course, too.

But the majority of NPM modules is not there to cover such a complex task, but to do trivial small programming tasks which can be reused everywhere and average programmers should be able to come up on their own, like e.g. a left padding for strings/numbers and now this foreach thing.

Programmers in most other language communities would just write that stuff on their own, or maybe pull in one standard library which covers many of the required stuff if there is such a thing. In Node.JS and with NPM though people just don't bother even writing such trivial things on their own, instead are pulling this directly from NPM and integrating it into their own little projects. And since NPM has many of these little trivial building blocks around, where many have a lot of dependencies, even moderately complex Node.JS programs often have a dependency count in the hundreds.


----------



## fryshke (May 11, 2022)

So the answer is yes. PIP sucks balls, and you should manually validate packages, cache them and only pull them from your cache.


----------



## JozanOfAstora (May 11, 2022)

Alain De Vos said:


> Note , chromium browser contains 2.300.000 code lines of javascript.



For science I ran devel/tokei with `time` on the official chromium github repo, here's the output:


```
===============================================================================
 Language            Files        Lines         Code     Comments       Blanks
===============================================================================
 Arduino C++             1           17            8            5            4
 Assembly               68        72876        65703          776         6397
 GNU Style Assembly    140       214881       195068         2649        17164
 Autoconf              154        23300        20928         1304         1068
 Automake               22         6413         5576          261          576
 BASH                   62         4034         2603          779          652
 Batch                  40         1005          647          142          216
 C                    1283       699971       480417       133889        85665
 C Header            45892      5202302      3117133      1156709       928460
 CMake                  89        14614        12279         1080         1255
 C#                    232       147024       119078        16680        11266
 CoffeeScript            4         1070          941           21          108
 C++                 53341     15477368     11757584      1463055      2256729
 C++ Header             96         8874         5859         1665         1350
 CSS                  1414        75320        59539         5644        10137
 D                       1           17            4           10            3
 Dart                    3          129          102            7           20
 Dockerfile             35         1835         1358          266          211
 .NET Resource           7         1904         1452          452            0
 Dream Maker             1            1            1            0            0
 Emacs Lisp              8          969          579          229          161
 Elm                     2          542          399           32          111
 FlatBuffers Schema     11         1483          491          765          227
 Forth                   1            2            2            0            0
 GDB Script              1           34           17           14            3
 GLSL                    3          102           51           33           18
 Go                      7          827          683           61           83
 Groovy                  3         1955         1585          210          160
 Handlebars             13          107          107            0            0
 Happy                   1          498          449            0           49
 HLSL                    3           80           63            9            8
 INI                   107         3827         2651           16         1160
 Java                 8670      1662433      1147431       294472       220530
 JavaScript          21040      3641765      2487826       764970       388969
 JSON                 5661      2209774      2206543            0         3231
 JSX                     5          849          677           60          112
 LD Script               4           39           31            5            3
 Makefile               45         3349         2237          536          576
 Meson                  10          965          792           63          110
 Module-Definition      23        14099        13964           67           68
 MSBuild                11          577          518           29           30
 Objective-C           157        76796        59183         8571         9042
 Objective-C++        4270       796018       589123        84645       122250
 OpenType Feature |      1         3834         3110            1          723
 Pan                     6           91           67            7           17
 Perl                  104        24048        16172         4589         3287
 PHP                   752        40605        26734         9791         4080
 PowerShell              1           20            9            6            5
 Protocol Buffers      963       119654        64377        38370        16907
 Python               5818      1093137       852664        91059       149414
 R                       1           23           20            0            3
 RPM Specfile            4         1357         1135          123           99
 Rakefile                2          185          142           11           32
 ReStructuredText      122        33991        25340            0         8651
 Ruby                   23         6305         5215          268          822
 Sass                   12          178          137           15           26
 Shell                 427        34095        22318         6931         4846
 SQL                   178         9266         8671          255          340
 SVG                  3517       173450       153910        11954         7586
 Swift                  71         5768         3903         1014          851
 SWIG                    1           98           56           28           14
 TeX                     1         1454         1441           11            2
 Plain Text          29743      1599903            0      1531852        68051
 TOML                  143         6885         4797         1268          820
 TypeScript           1829       321573       223558        56099        41916
 Vim script              6          338          273           43           22
 Visual Studio Sol|      1           26           25            0            1
 WebAssembly             2            8            8            0            0
 XSL                    82         2488         2282           80          126
 XML                  3527       625625       569565        20268        35792
 YAML                  587        33103        29223         1290         2590
-------------------------------------------------------------------------------
 HTML                86806      2183417      1957814        85968       139635
 |- CSS              33393       471692       429668         9019        33005
 |- HTML               842        12700        12510          134           56
 |- JavaScript       49962      1698709      1435041        73721       189947
 |- Plain Text           9           67            0           67            0
 (Total)                        4366585      3835033       168909       362643
-------------------------------------------------------------------------------
 Jupyter Notebooks      18            0            0            0            0
 |- Markdown             3          262            0          203           59
 |- Python               3          902          629           99          174
 (Total)                           1164          629          302          233
-------------------------------------------------------------------------------
 Markdown             2458       246083            0       185893        60190
 |- ABNF                 1           57           36            9           12
 |- BASH                68          806          660           93           53
 |- C                    5           63           54            0            9
 |- CMake                1           49           34            8            7
 |- C++                 55         3396         2540          521          335
 |- CSS                  8          117          111            3            3
 |- HTML                44          814          737           35           42
 |- Java                32         1610         1202          239          169
 |- JavaScript          25          698          541          127           30
 |- JSON                16          576          572            0            4
 |- Lisp                 1            7            7            0            0
 |- Objective-C          2           75           52            4           19
 |- Python              32          861          721           52           88
 |- Ruby                 1           17           11            2            4
 |- Rust               103         3701         2872          329          500
 |- Shell               89         1203         1019          121           63
 |- SQL                  3           87           74           10            3
 |- TOML                61          227          176           34           17
 |- XML                 13          303          265           28           10
 |- YAML                 2           37           37            0            0
 (Total)                         260787        11721       187508        61558
-------------------------------------------------------------------------------
 Rust                 2659       851932       755910        31493        64529
 |- Markdown          1261       105738         8619        78226        18893
 (Total)                         957670       764529       109719        83422
-------------------------------------------------------------------------------
 Vue                    16          194          104           42           48
 |- CSS                 13          359          294            7           58
 |- HTML                16          473          461           12            0
 |- JavaScript          16          884          697          125           62
 (Total)                           1910         1556          186          168
===============================================================================
 Total              282822     37789179     27090662      6018910      4679607
===============================================================================
tokei  10815.21s user 35.26s system 317% cpu 57:02.70 total
```


----------



## obsigna (May 11, 2022)

Please can somebody change the misleading title of this thread to _„Why node.js is a bomb in the course of exploding?“_

All the examples given above do not make the case against particular language(s) which happen to be involved.


----------



## fryshke (May 11, 2022)

And add a link to https://en.wikipedia.org/wiki/Supply_chain_attack

It's not NPMs fault, it happens mostly to NPM lately because of popularity.


----------



## kpedersen (May 11, 2022)

fryshke said:


> It's not NPMs fault, it happens mostly to NPM lately because of popularity.


It can probably be done with GitHub too tbh with "forgotten password" emails pointing to lost domains.

I would say it is particularly prevalent with NPM because typical Javascript projects tend to drag in even more dependencies than even Python PIP-loving projects.

This is simply a downside of racking up a tonne of technical debt in projects.


----------

