Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The reason is that auto-updates and CI tools have reached a critical saturation and everybody uses them. Years ago, `npm install` would have been more likely to be run manually, and only if something in the build breaks - which means once in a blue moon. Supply chain attacks depend on people (or more likely, pipelines) mindlessly auto-updating packages as soon as they are released.


it's almost like we need a better way to understand what's in a package update than the "semantic versioning" honor system!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: