Popular npm library 'coa' was hijacked today with malicious code injected into it, ephemerally impacting React pipelines around the world. The 'coa' library, short for Command-Option-Argument, receives about 9 million weekly downloads on npm, and is used by almost 5 million open source repositories on GitHub.
Fair enough.
Reminds me of the same problem with C#, Visual Basic and the .NET framework, especially back in the day before .NET Core and the open source MsBuild. It was very hard to get into the ecosystem because almost all the tools and libraries are proprietary and usually cost money.
damn, that mush have sucked 😬, although there’s a weird sense of security in only having to know and use a single set of tools and being able to solely rely on those 🤷♀️
but i’m glad we have open source tools now :)
Having a forced standard way of doing things is good for beginners, but the moment whatever entity controls that standard way screws up or no longer wants to keep developing it cough Google cough, or you need to do something that they didn’t account for, it’ll be a shitshow.