Days since last malicious packages in NPM: 0 (evergreen)
replyDays since last malicious packages in PyPI: 30
Days since last malicious packages in Maven: 120
I'm sure this isn't 100% accurate, and there are probably better metrics (average number of malicious packages per year, average number of developers affected per year, etc) but they aren't as easy as a quick Google News search.
Except that the JavaScript / NPM ecosystem is 6-7 times larger than Python and Java / Maven.
replyhttps://chatgpt.com/share/6a1da751-0d88-832e-ace7-572bc786e0...
Check the linked resource which has the actual data.
Thanks for the link. However, a 7x size differential does not fully explain a 100x security incident differential -- although I'm sure it's part of it. Some of the root causes are very hard to address (e.g. a very limited standard library which encourages dependency explosions), some are just hard (e.g. established cultural norms around version pinning and upgrades, well-established reliance on install scripts) and some are easier (e.g. small tool improvements like min-release-age). I'm personally not going to touch npm with a ten foot pole in the next year or two, but I'd love to see significant improvement, so that I have that option again in 2 or 3 years. Stay safe!
replyThe npm cli has bad defaults which you can turn off but they are there I presume for legacy reasons. The secure option is pnpm. The registry is fine.
replyAlso on our comment about size differential ... it absolutely can.
If I jump from 2 meters hight it will be mildly uncomfortable. Jumping from 12 meters will result in severe injurious and possibly death. None of these things go linearly in real world conditions.
no because I dont ship production software from gitlab, I use upstream maintained packages?
reply