About a month ago NPM was compormised. It was advised to lock versions to before the compromise.
However, one eventually needs to unlock and start getting updates again. Does anybody know if the coast is clear, or possibly a place that is tracking known compromised packages and their current status?
I think one of the issues inherent to the node ecosystem is that the coast is never clear. When the ethos is to never reinvent the wheel, and instead pull in a dependency chain of thousands of tiny things made by thousands of people (not necessarily a bad thing, it saves time and lets developers focus on what they really want to do), you’re going to have supply chain attacks that go undetected, because nobody has time to vet every single change to all those thousands of things.