pirates icon indicating copy to clipboard operation
pirates copied to clipboard

Published 20 hours ago verified publisher icon danez

Package name and description looks scary when it appears as an indirect dependency

Open machado2 opened this issue 3 years ago • 3 comments

I saw a pirates package with the description saying it's gonna hijack something on my requires

machado2 avatar Aug 20 '22 19:08 machado2

Well, in a sense, the purpose of this module when seen at face value can be indeed "scary" (arbitrarily modifying the behavior of a require call). To me it mostly depends on how module authors will use it, just like any other dependency (for example, rimraf, which could recursively delete all your things, do you consider that dangerous?). To me it boils down to the trust you have on your dependencies (in which case you must recursively trust their own trust on their own dependencies).

Do you have any actionable suggestion on how to improve this?

Tangential: recently I stumbled across Hagana which may help mitigating some of the "dangerous things" I was thinking above.

papb avatar Aug 22 '22 03:08 papb

I think anything longer in the package.json description would be good, if you think it's worth doing. It didn't take long to figure this package is legit

machado2 avatar Aug 22 '22 04:08 machado2

Something like #102?

papb avatar Aug 22 '22 05:08 papb

:tada: This issue has been resolved in version 4.0.6 :tada:

The release is available on:

Your semantic-release bot :package::rocket:

github-actions[bot] avatar Jun 20 '23 09:06 github-actions[bot]