I wouldn’t say pulling in higher versions is unsafe unless an attack like this succeeds. Otherwise it’s only an annoyance.
LurkingLuddite
- 0 Posts
- 10 Comments
Joined 3 months ago
Cake day: February 4th, 2026
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
That sounds more like bad practices from the community. It definitely has ways to use exact versions. Not the least of which the lock file. Or the shrinkwrap file which public packages should be using.
Genuine question. How is NPM more vulnerable than other repos? Haven’t similar supply chain attacks succeeded at least as well as this one through GitHub itself and even Linux package repos?
Never said it was as bad as Reddit. I’ve only said the oposite.
Well getting your account that you groomed up for who knows how long nuked is pretty damn close. Especially if you’re a main contributor to a comm or two and all that work disappears.
The admins literally administer the instances. Many of them directly running the instances on hardware they pay for. Even if the API didn’t allow it, they could just directly delete your user record from the DB.
You can still get your account nuked by butthurt admins.
Though again, still far better than Reddit.
162·2 months agoDepends on what instance and what opinion you are towing, still. Though it is still a far cry better than Reddit.
16·3 months agoELIZA effect in full swing… Humans really are gullible.
More like a soiled dipe.