If NPM really cared, they'd stop recommending people use their poorly designed v... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		cxr 19 days ago \| parent \| context \| favorite \| on: Shai-Hulud malware attack: Tinycolor and over 40 N... If NPM really cared, they'd stop recommending people use their poorly designed version control system that relies on late-fetching third-party components required by the build step, and they'd advise people to pick a reliable and robust VCS like Git for tracking/storing/retrieving source code objects and stick to that. This will never happen. NPM has also been sending out nag emails for the last 2+ years about 2FA. If anything, that constituted an assist in the attack on the Junon account that we saw a couple weeks ago.

ptx 19 days ago [–]

NPM lock files seem to include hashes for integrity checking, so as long as you check the lock file into the VCS, what's the difference?

cxr 19 days ago | [–]

Wrong question; NPM isn't bedrock. The question to be answered if there is no difference is, "In that case, why bother with NPM?"

Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact