Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yes we tried, but npm would not let us because of "dependencies". We've reached out to them and are waiting for a response. In the meantime, we re-published the packages with newer versions so people won't accidentally install the compromised version.


At least one thing is clear from this week: npm is too slow to respond.


> npm is too slow to respond

Microsoft has been bravely saying "Security is top priority" since 2002 (https://www.cnet.com/tech/tech-industry/gates-security-is-to...) and every now and then reminds us that they put "security above all else" (latest in 2024: https://blogs.microsoft.com/blog/2024/05/03/prioritizing-sec...), yet things like this persists.

For how long time do Microsoft need to leave wide-open holes for the government to crack down on their wilful ignorance? Unless people go to jail, literally nothing will happen.


TIL that NPM is a subsidiary of GitHub, making this indeed Microsoft's responsibility.


they have now removed the affected versions!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: