If you someone made a concerted effort to put malware in a low level npm package, how hard would it be to detect?
Worryingly, it would be really difficult.
https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5
Related Posts
One nice feature of cargo that I wasn't previously aware of: you don't need to do anything after updating your Cargo.toml.
In npm, you need to remember to `npm i` after changing package.json. It's not declarative and the state can get out of sync.
When writing long-lived programs (daemons etc) in Rust, I find myself asking *where* I should put data.
In a GC'd language it's just "I have a string" but Rust forces me to find somewhere to put it.
You do get a performance benefit for this work though.
Are there any package managers that treat changelogs as a first class concept?
I end up looking for a CHANGELOG.md or a CHANGES.txt in the source code repository every time. The lack of standard prevents package hosting services being able to show changes.