This is how the NPM ecosystem works. Run first, care about consequences later..because, you know, time to market matters more. Who cares about security?
This is not new to the NPM ecosystem. At this point, every year there's a couple of funny instances like these. Most memorable one is from a decade ago, someone removed a package and it broke half the internet.
From Wikipedia:
module.exports = leftpad;
function leftpad (str, len, ch) {
str = String(str);
var i = -1;
ch || (ch = ' ');
len = len - str.length;
while (++i < len) {
str = ch + str;
}
return str;
}
Everyday I wake up and be glad that I chose Elixir. Thanks, NPM.
This is imo much worse than NPM, and full disclosure NPM is a part of our stack and I do not vet every package - I’d be out of a job if I took the time…
That said, packages can be audited, and people can validate that version X does what it says on the tin.
AI is a black box, however. Doesn’t matter what version, or what instructions you give it, whether it does what you want or even what it purports is completely up to chance, and that to me is a lot more risk to swallow. Leftpad was bad, sure, and it was also trivial to fix. LLMs are a different class of pain all together, and I’m not sure what lasting and effective protection looks like.
From Wikipedia:
Everyday I wake up and be glad that I chose Elixir. Thanks, NPM.https://en.wikipedia.org/wiki/Npm_left-pad_incident