
All about npm and why it is the heart of JavaScript ecosystem? - fazlerocks
https://hashnode.com/post/npm-is-the-beating-heart-of-the-javascript-ecosystem-cimvnbetj02r1wz53u4bjw1dr
======
mcherm
I am disturbed by the caviler dismissal of the security vulnerability created
by mutable and upgradeable versions.

npm does not have "immutable versions" \-- the library you depend on can be
replaced with different code given the same version label and with a normal
toolchain this change would be picked up without even alerting you. As far as
I can tell, this has not been exploited, but it is ripe for abuse.

Furthermore, a package manager is more than just the server it runs on --
things like the culture of how it is used also matter. As far as I can tell
(please convince me I am wrong about this), common practice with npm is to
import "the latest" version of a library -- that's a security problem AND a
version incompatibility just waiting to bite someone.

