DEV Community

Discussion on: How I exploited NPM downloads... and why you shouldn't trust them

oguimbal profile image
Olivier Guimbal • Edited on

I agree... You could argue the same with security:

I can create an exploit in an npm package -> everyone does -> npm is fundamentally unsafe.

That is kind of true, but no one stops using npm for this reason. I guess the same goes for every metric. Who guarantees you that a project github stars dont come from a clickfarm ?

When using a npm package, you're trusting its author, to some extend.

(This is fun to see that npm doesnt even try to protect itself against this, though)

moopet profile image
Ben Sinclair

That's not what the post is getting at (to my reading). The equivalent would be, I think:

There happens to be wild fluctuations in the number of exploits accidentally appearing in npm packages due to cosmic rays -> I can demonstrate getting an exploit into an hyperbolic number of npm packages to prove a point -> npm is fundamentally unsafe.

It's talking about how the metric is useless even in telling you how many unique users downloaded a package, or how often something caches it or runs a build job.