Unless you were hiding under a rock, you probably heard about the “event-stream situation” on NPM this week. TLDR: the original maintainer of the
event-stream package was tired of maintaining it. He handed over the reins to a different developer, who promptly injected malware and released a new version.
Much of the ink spilled on this subject focused around open source expectations and who. was. responsible. for. this. happening. I don’t want to spend much time on this part of the discussion, so I’ll keep it short by saying the entitlement on display in that Github issue was remarkable. Imagine a scenario where someone gave $20 to everyone who wanted it. Some folks in that thread would be angry because it wasn’t $50.
What I do want to spend time talking about is why this happened. And why does it keep happening to Node/NPM?Read more »