Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Why didn't crates.io maintainers apply the patch themselves? NPM does meddle with packages when an incident happens like they did with left-pad.


I think that would be pretty disruptive, and would break some assumptions around crate integrity that are deeply held.

My understanding is that the left-pad incident is not directly analogous, since it involved restoring a deleted package rather than modifying an extant package.


Do you have a more relevant example of meddling besides a binary block/publish?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: