Re: Just goes to show
I dunno why people are downvoting this. This person is exactly right. The OP's theory is lovely, but it's completely unworkable. Nobody in the world except *possibly* extremely paranoid spy agencies with extremely large budgets is actually *doing* this:
"When you are notified of an update, you evaluate the necessity of the update, review the new code if the update is necessary for you, and apply it to your test server only if you do intend to use it. There, you test it thoroughly and validate its merging with production code on servers you control."
with all their code because it's just not realistically possible. For a start if you're using any closed source code...you can't review the new code. Game over. Even if you're using 100% open source: who has the in-house expertise, and the person-hours available, to review all the changes in every new version of the Linux kernel they deploy? And every new version of glibc? And every new version of Java? And every new version of every bit of their Python stack? And their Perl stack? And their PHP stack? Sorry, but it just ain't happening. I'm not doing it, you're not doing it, and no-one commenting on this thread is doing it.
The terrifying thing here, really, is there's nothing particularly specific to NPM about it. Yeah, NPM is kinda an outlier in terms of the sheer amount of bits that are in it and the sheer amount of them that any given JS project probably winds up depending on. But it would not be *that* difficult to do this same thing in any other language ecosystem. You absolutely could write a useful Python library, wait for projects to adopt it, maintain it well for a while then upload a new version with a subtle backdoor to PyPI, and I severely doubt anyone would catch it, at least not immediately. It would very likely wind up in all the Linux distros and umpteen commercial software projects in relatively short order. Hell, I would not be at all surprised if this has *already happened*. Probably more than once.