I’m not super familiar with Maven so I could be wrong, but doesn’t Maven still pull depencies from upstream? That doesn’t fix the problem. Having depencies packaged in the OS means there is in theory some level of overview and review by the package maintainer(s).
There are two reasons. One is the name spacing that is inherent in Maven and bolted on to npm, and the enforcement or lack of enforcement in the repository. You can read more about that here https://blog.sonatype.com/why-namespacing-matters-in-public-open-source-repositories
Then there’s the fact that npm runs “install” scripts when you download the component. This means if you can trick someone into grabbing your component by namespace confusion, typosquatting a name etc, you can get code run as soon as someone makes a mistake. Maven on the other hand only downloads the jars, it does not execute them.
Taken together, you have an easier path to tricking people to grabbing your component with npm and that trick leads directly to code execution.
I am on my phone, which is a bit too long to explain, but there are multiple facets to how NPM is worse than most packaging systems out there. There are enough on the web for you to browse and learn, if you are really interested to know more.
But, here, I quoted a little something from Brian from Sonatype.
I’m not super familiar with Maven so I could be wrong, but doesn’t Maven still pull depencies from upstream? That doesn’t fix the problem. Having depencies packaged in the OS means there is in theory some level of overview and review by the package maintainer(s).
I am on my phone, which is a bit too long to explain, but there are multiple facets to how NPM is worse than most packaging systems out there. There are enough on the web for you to browse and learn, if you are really interested to know more.
But, here, I quoted a little something from Brian from Sonatype.