this post was submitted on 22 Dec 2025
132 points (97.8% liked)

Technology

78002 readers
2139 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
132
NPM Package With 56K Downloads Caught Stealing WhatsApp Messages (www.koi.ai)
submitted 5 days ago by King@sh.itjust.works to c/technology@lemmy.world
26 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] tux0r@feddit.org 14 points 5 days ago (17 children)

lol JavaScript

[–] wildbus8979@sh.itjust.works 17 points 5 days ago* (last edited 5 days ago) (16 children)

This truly has grown past a JS problem. NPM was kind of the first time dependencies were installed by the project rather than through the OS. But nowadays this has become the norm, golang, rust, and to an extent python also work by installing dependies directly from git for the most part. This isn't going to get any better unless we revert to OS based dependencies which noone wants to do because developers want the latest and greatest model.

[–] Venator@lemmy.nz 1 points 3 days ago* (last edited 2 days ago) (4 children)

noone wants to do because developers want the latest and greatest model.

That's not true at all, the OS doesn't have, and shouldn't have, everything that every random npm package has...

The alternative isn't for the OS to do it: its to implement everything yourself... Speaking previous from experience working at a company that did exactly that... It has its own set of problems... But it is at least possibly secure 😅

[–] vithigar@lemmy.ca 1 points 2 days ago (1 children)

There's another alternative, which is manually adding libraries to your project yourself instead of doing it all automatically through a package manager.

Yes, it's less convenient to download and import a package manually, especially if you need to do the same with a litany of dependencies, but I don't feel like that's a bad thing. Raising the barrier of entry for arbitrarily adding thousands of lines of other people's code to your project would force people to think about how much of that they actually need.

[–] Venator@lemmy.nz 1 points 2 days ago* (last edited 2 days ago)

Or you can just use git and pin your packages to specific versions and review the changes to the packages when they change using git diff...

load more comments (2 replies)
load more comments (13 replies)
load more comments (13 replies)