thecodingdude
All 6 comments
@thecodingdude Just for clarification, in the case that spawned this, the malicious code was only present in the minified version of the code, this is something that might not be caught by a review process.
Neaox
on 27 Nov 2018
since the NPM organization disabled issues
.... and they also included links to the appropriate places where support and other requests should go. It seems like the changes being requested here are within npm's domain, since they maintain the software, not node core. Have you considered posting what you already have over in the appropriate npm support channel?
mscdex
on 27 Nov 2018
Thanks for the large summary. However, all of this is unrelated to nodejs except for "Merge NPM/Node". I would suggest you open a separate issue on the https://github.com/nodejs/tsc repo if you think such a thing should happen.
Issues with npm itself should be taken up with npm. I assume you can open the relevant issues at https://github.com/npm/ or https://npm.community.
I'm going to close this. please feel free to re-open if you feel some part of this hasn't been adequately addressed by the node.js team.
devsnek
on 27 Nov 2018
@thecodingdude don't misunderstand me, i agree with you on pretty much all these points, but this issue in specific was not outlining anything for the node project to do (except for "Merge NPM/Node", which i pointed you to a better place to open that issue).
It seems like what you want is for node to change its relationship with npm. However, that is not what this issue is discussing. This issue is discussing changes npm can make, which should definitely go in an npm namespace, not a node namespace.
I would be quite interested in discussing something actionable on the part of node, such as discontinuing the shipment of npm with node, but that isn't what this issue was.
devsnek
on 27 Nov 2018
Hey, I think this discussion should be had with @nodejs/security-wg - they discuss these things regularly.
In particular with the flatmap-stream issue (which is both frustrating and severe) - there is a new initiative called https://github.com/nodejs/package-maintenance
benjamingr
on 27 Nov 2018
Going to lock this as there's seeming consensus that this is not the correct repo/location for this discussion and the issue has been closed by the original author.
@thecodingdude we appreciate you opening this issue and the effort you put into framing this effectively. If you'd like to continue this discussion, I would advise following the advice from Myles in #24664 – we have several initiatives and working groups that this could definitely fall under, which Myles outlined very concisely. Contributions welcome! 🤗
bnb
on 27 Nov 2018
Related issues
filipesilvaa
·
3Comments
addaleax
·
3Comments
loretoparisi
·
3Comments
Icemic
·
3Comments
cong88
·
3Comments
Most helpful comment
Thanks for the large summary. However, all of this is unrelated to nodejs except for "Merge NPM/Node". I would suggest you open a separate issue on the https://github.com/nodejs/tsc repo if you think such a thing should happen.
Issues with npm itself should be taken up with npm. I assume you can open the relevant issues at https://github.com/npm/ or https://npm.community.
I'm going to close this. please feel free to re-open if you feel some part of this hasn't been adequately addressed by the node.js team.