Node's Malicious Packages.
replyI only noticed at goat farming. But anyway, what would a left-justify package do?
replySame as left-pad (https://en.wikipedia.org/wiki/Npm_left-pad_incident) but much better?
reply> I only noticed at goat farming
replyHeh. I didn't even blink at that. I know a couple of open-source folks who actually packed up to buy off-grid farms in Portugal
Pull left-pad as dependency presumably.
replyWhich then, inexplicably, pulls left-justify as a recursive dependency.
replyThe dependency cycle is actually the functional mechanism of the code, because they subvert the dedup mechanism in the package manager using a random generation trick. Each recursive copy of the dependencies takes up a little bit more space, which ultimately gets converted to the spaces inserted into the original datum; the caller is expected to adjust the cache settings to signal the desired amount. That's also why if you're using left-justify to process strings, Yarn is recommended for best compatibility. /joke
reply