[erlang-questions] rebar3 dependencies

Roberto Ostinelli <>
Wed Mar 23 14:00:38 CET 2016


On Wed, Mar 23, 2016 at 1:56 PM, Loïc Hoguin <> wrote:

> Of course this can happen with hex.pm. :-)
>
> https://hex.pm/docs/codeofconduct
>
>   Data published to Hex is hosted at the discretion
>   of the Hex team, and may be removed.
>
> It can also happen to github, gitlab, bitbucket, and any other repository
> of code that allows removal.


Indeed, but let me be more less cryptic on what I was referring to: what I
find more dangerous in this npm story is that:

"[...] the global names used by the removed packages are available for
anyone to register and replace with any code they wish.The fact that this
is possible with NPM seems really dangerous. The author unpublished (erm,
"liberated") over 250 NPM modules, making those global names (e.g. "map",
"alert", "iframe", "subscription", etc) available for anyone to register
and replace with any code they wish. Since these libs are now baked into
various package.json configuration files (some with 10s of thousands of
installs per month, "left-pad" with 2.5M/month), meaning a malicious actor
could publish a new patch version bump (for every major and minor version
combination) of these libs and ship whatever they want to future npm
builds." [1].

I just don't know if hex.pm does some checksum of code, which would impeded
for this to happen.

[1] https://news.ycombinator.com/item?id=11341006
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160323/b489f343/attachment.html>


More information about the erlang-questions mailing list