Context: A widely used npm package was discovered to have a dependency with an encrypted payload in it, which tries to steal people bitcoins. [1].
I was reading through the github issue exposing the attack, and some people had some less then nice things to say about the dev who handed over the project (event-stream) to another dev who put the payload in.
If you read through the thread, there are more salty people.
My problem: Are people forgetting what open source code is? How most of the time it has the warning
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY...
There is a responsibility for the dev to make sure they vet what is being put into, but also a larger responsibility for large company's to vet dependency themselves, such as this package event-stream
Bonus:Commit which added bad dependency, flatmap-stream
Edit: typos
No comments:
Post a Comment