Conversation

Daniel Micay
@DanielMicay
Replying to
@hdevalence
and
@bascule
If they wanted him to have the responsibility of doing due diligence, companies depending on his library should have paid him. He stated that he was doing it for fun and it stopped being fun so he handed it off to someone else as quickly as they showed up. It was a hobby project.
1
1
henry 🌘
@hdevalence
Replying to
@DanielMicay
and
@bascule
so I think if NPM encourages semver upgrades then I'm not sure I want to blame people for "blindly upgrading", but I'm not sure I feel comfortable putting the responsibility on the previous maintainer to maintain all of their software, for free, forever
2
2
Daniel Micay
@DanielMicay
Replying to
@hdevalence
and
@bascule
I don't think someone working on a hobby project for fun can be expected to take security seriously. People depending on it should look into what they're going to be using and who maintains it. There are more possibilities for disaster than giving it to a new maintainer.
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
@hdevalence
and
@bascule
So apparently npm has no package signing. I didn't realize it was that bad. The previous developer didn't even need to hand over a signing key to the new developer, since nothing is being signed and verified anyway. What if they had simply chosen a bad / reused password for npm?
1
1
Show replies