Days since last malicious packages in NPM: 0 (evergreen)
Days since last malicious packages in PyPI: 30
Days since last malicious packages in Maven: 120
I'm sure this isn't 100% accurate, and there are probably better metrics (average number of malicious packages per year, average number of developers affected per year, etc) but they aren't as easy as a quick Google News search.
Thanks for the link. However, a 7x size differential does not fully explain a 100x security incident differential -- although I'm sure it's part of it. Some of the root causes are very hard to address (e.g. a very limited standard library which encourages dependency explosions), some are just hard (e.g. established cultural norms around version pinning and upgrades, well-established reliance on install scripts) and some are easier (e.g. small tool improvements like min-release-age). I'm personally not going to touch npm with a ten foot pole in the next year or two, but I'd love to see significant improvement, so that I have that option again in 2 or 3 years. Stay safe!
The npm cli has bad defaults which you can turn off but they are there I presume for legacy reasons. The secure option is pnpm. The registry is fine.
Also on our comment about size differential ... it absolutely can.
If I jump from 2 meters hight it will be mildly uncomfortable. Jumping from 12 meters will result in severe injurious and possibly death. None of these things go linearly in real world conditions.
New PR: revert GitHub software and infrastructure to version of June 1st, 2018.
New PR: disable new user signups for 6 months
HR initiative: all future KPIs automatically require three-nines availability; all bonuses are forfeited, regardless of accomplishments, if annual availability falls below target
> Wake me up when the daily npm security breach headlines are typosquatting stories, not RCE-on-build or RCE-on-upgrade.
RCE-on-build/upgrade can be done in Maven if you manage to compromise one of the major Maven plugins, they run at build time. The thing keeping maven safe for now is that most people pin the plugin and dependency versions, with the obvious side effect that it's truly annoying to get all your dependencies updated.
> The thing keeping maven safe for now is that most people pin [...] versions
Yes, and also the signing of JARs that are uploaded to the repository, and the fact that most release processes are not fully automated, and the batteries-included standard library which reduces the total number of dependencies, and the fact that a run-of-the-mill third-party library can't execute code at build time, and the very small number of people with credentials to publish new versions of major Maven plugins, etc.
There are npm supply chain exploits in the news every other day. I'm honestly surprised that something as decentralized as Go Modules is more reliable, but here we are. The fact that we're not seeing these stories about e.g. Maven is not at all surprising, given the limited need for third party libraries and the culture of careful upgrades in the Java ecosystem. If npm proponents want the ecosystem to survive, they need to demand / create better and stop making excuses.
The future may be distributed quite unevenly here, as they say, with a divergence between a small amount of "responsible" code in systems which leverage AI defensively, and a larger amount of vibe-coded / prompt-engineered code in systems which don't go through the extra trouble, and in fact create additional risk by cutting corners on human review. I personally know a lot of people using AI to create software faster, but none of them have created special security harnesses a la Mozilla (https://arstechnica.com/information-technology/2026/05/mozil...).
He's saying that they have ideological concerns beyond the ideological concerns you would tend to associate with the EFF (digital privacy, open source, patent trolling, etc). I for one am sad to see that this is the case. There are fewer and fewer organizations protecting civil rights without being dragged into left/right tribalism.
This is an important point and it feels odd that the entire discussion seems to not be able to engage with it, but on another level it might be the same problem. As a long term financial support of the eff I'm starting to get the same awkward feelings that made me question my financial support for Mozilla and Wikipedia. Any time someone views the world through a single lens, it highlights some things and ignores others and it seems like a net loss to the world that everything is being forced into a being judged along a single (increasingly polarised) axis
A free and open society is a prerequisite for the rights EFF fight for. We cannot enjoy the freedoms of digital privacy in a an authoritarian regime. The rights to fight for EFFs concerns are currently being threated by the fascist turn of the USA. Thus, the EFF and other likeminded organizations are very much justified in leaving X.
> There are fewer and fewer organizations protecting civil rights without being dragged into left/right tribalism.
I would rather challenge this image that civilization is declining, independently of the political forces in power. This is a common motif in facism; I'm reading from your comment something along the lines of: "once we had noble organizations that were pure and didn't bother with ideology -- now things are worse, and in fact those guys are dirty for engaging in politics". What's really happening is that power in the US has been seized by fanatics and you fucks (respectfully) are letting them get away with it.
Disagree with so much here. But if, in your mind, the US is turning authoritarian, this is a "cut off your nose to spite your face" move. They should be taking the fight where it most needs fighting. They should not be making donors like myself question whether we still share objectives.
You are completely correct in your analysis. Reading some of the responses here - people who think the EFF should only fight for some rights for some people and only on corporate platforms instead of across society at large - would be shocking if I hadn’t already seen how willing rich tech bros are to overlook everyone and everything else for their own personal gain.
What are you talking about? I feel like I’m taking crazy pills reading these comments.
Do you not see that civil rights are being infringed _right now_, by the republican administration in our government? Protecting those civil rights will require criticizing and acting against republicans because the fascists on the right are trying to turn our country into an autocracy.
Sorry if that hurts your feelings, but you can’t be that fragile if you want to live in a free nation. The EFF taking a stand here is fighting EXACTLY the fight they need to be right now.
Where do you see that? All I see is a claim that it no longer makes sense from a financial standpoint (but no comparative numbers provided for the other platforms they are keeping, which is sus, especially given their presence on very niche platforms like Bluesky), and vague justifications based on identity politics and "community care" loci, which is either nonsense or deep argot unsuitable for the intended audience.
Assuming that Twitter's user count has remained relatively steady (within 100% either way), the only thing that could explain a huge drop in views would be a change to their opaque algorithm.
> To put it bluntly, an X post today receives less than 3% of the views a single tweet delivered seven years ago.
Days since last malicious packages in PyPI: 30
Days since last malicious packages in Maven: 120
I'm sure this isn't 100% accurate, and there are probably better metrics (average number of malicious packages per year, average number of developers affected per year, etc) but they aren't as easy as a quick Google News search.
reply