This is going to seriously burn someone at one point. But right now, I think our package repositories are simply too convenient.
Maybe someone will aggressively squat a load of names and upload a package that scrolls a million lines of "YOUR REPOSITORY IS INSECURE!!1". Maybe that will make devs more security conscious.
First one to shake up the world by massively exploiting this gets to decide how bad it's going to be. "rm -rf /" would be fun too, or exfiltrating everyones .ssh folder.
Maybe someone will aggressively squat a load of names and upload a package that scrolls a million lines of "YOUR REPOSITORY IS INSECURE!!1". Maybe that will make devs more security conscious.
First one to shake up the world by massively exploiting this gets to decide how bad it's going to be. "rm -rf /" would be fun too, or exfiltrating everyones .ssh folder.