News

The developer ecosystem of the modern web frontend is not doing well. Evil tongues have always claimed that a culture of separate bundling of platitudes and lack of discipline will lead to disaster. This has already occurred https://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm and marked the first shattering of confidence in the youngest generation of engineers around javascript and the web and their ability to play such a responsible role in today’s world.

Although the left-pad fiasco brought some positive changes, it was still an open secret that the node.js ecosystem was a burning tire dump from a security perspective https://medium.com/commitlog/the-internet-is-at-the-mercy-of-a-handful-of-people-73fac4bc5068. Warnings in the form of very specific instructions on how to use the developer infrastructure to spread malware globally to unsuspecting visitors to completely innocent and trustworthy sites did not help either https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5.

And that’s why it happened again today, for real this time https://github.com/dominictarr/event-stream/issues/116. Let’s use this to remind ourselves that you can imagine visiting virtually any web site by running a de-facto unknown program on your computer written by hundreds of random unknown developers without any supervision. Having javascript turned off by default doesn’t seem like paranoid nuttiness anymore, does it?

Author: František Řezáč