[erlang-questions] rebar3 dependencies
Wed Mar 23 14:19:51 CET 2016
On 03/23/2016 02:00 PM, Roberto Ostinelli wrote:
> On Wed, Mar 23, 2016 at 1:56 PM, Loïc Hoguin <
> <mailto:>> wrote:
> Of course this can happen with hex.pm <http://hex.pm>. :-)
> Data published to Hex is hosted at the discretion
> of the Hex team, and may be removed.
> It can also happen to github, gitlab, bitbucket, and any other
> repository of code that allows removal.
> Indeed, but let me be more less cryptic on what I was referring to: what
> I find more dangerous in this npm story is that:
> "[...] the global names used by the removed packages are available for
> anyone to register and replace with any code they wish.The fact that
> this is possible with NPM seems really dangerous. The author unpublished
> (erm, "liberated") over 250 NPM modules, making those global names (e.g.
> "map", "alert", "iframe", "subscription", etc) available for anyone to
> register and replace with any code they wish. Since these libs are now
> baked into various package.json configuration files (some with 10s of
> thousands of installs per month, "left-pad" with 2.5M/month), meaning a
> malicious actor could publish a new patch version bump (for every major
> and minor version combination) of these libs and ship whatever they want
> to future npm builds." .
> I just don't know if hex.pm <http://hex.pm> does some checksum of code,
> which would impeded for this to happen.
Don't know about hex, but this particular problem doesn't exist when you
refer to git commits directly.
Just saying. :-)
Author of The Erlanger Playbook,
A book about software development using Erlang
More information about the erlang-questions