Zababa

I'll preface this by saying that I have nothing against the author, I'm just trying to make a point about the NPM ecosystem and chain supply attacks .

> The problems seemed easily solvable and would require some moderate amount of work.

> When that got merged, suprise! I was made a project contributor.

> Now I felt even more excited. I could push fixes and refactors without having to wait for someone to code review them.

Think about this, and then think about your dependencies. How easy it is to pay a few people full time to contribute to the edges of the NPM ecosystem (deep dependencies, forgotten dependencies) to then slowly take control over some packages? Every result that's shown with "npm fund" is a potential target. Famously, Express was sold to a company (though this wasn't for chain supply attacks, but for clout I think?).

Of course that's also the good part of open source NPM-style: in some places there isn't much red tape. But I'm wondering if companies should rely on processes like that. That seem dangerous.

remram
This is easily fixable by using tooling to help review. For example I have high hopes in the crev project: https://github.com/crev-dev/crev

As soon as you are no longer implicitly trusting all future versions of your dependencies, things become much more sane.