<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Wed, Mar 23, 2016 at 1:56 PM, Loïc Hoguin <span dir="ltr"><<a href="mailto:essen@ninenines.eu" target="_blank">essen@ninenines.eu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Of course this can happen with <a href="http://hex.pm" rel="noreferrer" target="_blank">hex.pm</a>. :-)<br>
<br>
<a href="https://hex.pm/docs/codeofconduct" rel="noreferrer" target="_blank">https://hex.pm/docs/codeofconduct</a><br>
<br>
Data published to Hex is hosted at the discretion<br>
of the Hex team, and may be removed.<br>
<br>
It can also happen to github, gitlab, bitbucket, and any other repository of code that allows removal.</blockquote><div><br></div><div>Indeed, but let me be more less cryptic on what I was referring to: what I find more dangerous in this npm story is that:</div><div><br></div><div>"[...] the global names used by the removed packages are available for anyone to register and replace with any code they wish.The fact that this is possible with NPM seems really dangerous. The author unpublished (erm, "liberated") over 250 NPM modules, making those global names (e.g. "map", "alert", "iframe", "subscription", etc) available for anyone to register and replace with any code they wish. Since these libs are now baked into various package.json configuration files (some with 10s of thousands of installs per month, "left-pad" with 2.5M/month), meaning a malicious actor could publish a new patch version bump (for every major and minor version combination) of these libs and ship whatever they want to future npm builds." [1].</div><div><br></div><div>I just don't know if <a href="http://hex.pm">hex.pm</a> does some checksum of code, which would impeded for this to happen.</div><div><br></div><div>[1] <a href="https://news.ycombinator.com/item?id=11341006">https://news.ycombinator.com/item?id=11341006</a> </div><div> <br></div></div></div></div>