this post was submitted on 16 May 2026
205 points (97.2% liked)

Programming

26958 readers
466 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 2 years ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
UlrikHD@programming.dev
bugsmith@programming.dev
Spyro@programming.dev
205
‘No Way To Prevent This,’ Says Only Package Manager Where This Regularly Happens (kevinpatel.xyz)
submitted 1 day ago by HaraldvonBlauzahn@feddit.org to c/programming@programming.dev
43 comments fedilink hide all child comments
 

SAN FRANCISCO, CA - In the wake of a devastating supply chain attack in the npm registry that left millions of enterprise applications compromised and billions of user records exposed, developers across the JavaScript ecosystem expressed deep sorrow today, lamenting that such a crisis was completely unavoidable.

“It’s a shame, but what can you do? This is just the price of building modern web apps,” said Senior Frontend Engineer Mark Vance, echoing the sentiments of a community that completely relies on a 40-level-deep nested tree of unvetted packages maintained by pseudonymous strangers to capitalize a single string. “There’s absolutely no way to foresee or prevent someone from taking over a long-abandoned utility package and injecting a crypto-miner into every production build in the world. It’s just an act of nature.”

you are viewing a single comment's thread
view the rest of the comments
[–] tabular@lemmy.world 18 points 1 day ago (1 children)

I'm sure there are advatages to making web apps over regular software for OS's and that supply attacks can happen anywhere.. but the idea this is unavoidable is insanity. Stop making reckless "modern" web apps.

Speaking of "modern web apps" does OpenSUSE still use Firefox as an installer? When I tried the new major version on release I watched a browser unexpectedly open and slowly load a page. Coming from a snappy dedicated installer of prior versions, this made me question if I had downloaded malware.

[–] Grass@sh.itjust.works 1 points 1 day ago (1 children)

wait what? when was firefox used as an installer?

[–] tabular@lemmy.world 5 points 1 day ago* (last edited 13 hours ago)

Leap 16, and yeah the web app OS installer is called Agama.

RIP YaST