‘No Way To Prevent This,’ Says Only Package Manager Where This Regularly Happens | Kevin Patel
「 “It’s a shame, but what can you do? This is just the price of building modern web apps,” said Senior Frontend Engineer Mark Vance, echoing the sentiments of a community that completely relies on a 40-level-deep nested tree of unvetted packages maintained by pseudonymous strangers to capitalize a single string 」
@jbz to be fair to npm, I'm pretty sure this has also happened in pypi and cargo. The problem, really, seems to be that central package managers are juicy targets.
@Solemarc @jbz this is an interesting point you raise. I would be interested in seeing any evidence to support this statement.
(Full disclosure I have contributed to PyPi and have used npm and cargo. I am then only aware of two incidents with PyPi in August 2025 and February 2026. Both were then identified, fixed and additional security validation put in place...)
@wnd @jbz a quick google search gets me an article where Microsoft reports the mistralai pypi package is compromised. Shai halud also affected pypi, those are probably the most recent.
As for cargo, the latest one I'm aware of is CVE-2026-33056 which happened in March.
But really, it's just common sense isn't it? Central package repos encourage relying on existing packages, so packages also start relying on existing packages. So you want to compromise something everyone is relying on.
Yep, the way package repos are used these days promotes that kind of thing, which brings me to my reaction:
"This is just the price of building modern web apps,” sounds completely correct, and it's just a shame that this IS the price we all pay for what the industry regards as the form of a modern web app.
It's caveman stuff to not wire in all of that stuff.
...and so cavemen had faster web browsing even on ancient computers :)
