I certainly hope people don't just load this random website's script directly from their website frontend. That seem super insecure. If people want to use that popup they should download the code, give it a quick review, then host it themselves. This also solves the issue with that domain getting blocked.
> That seem super insecure. If people want to use that popup they should download the code, give it a quick review, then host it themselves.
If the node devs did the same thing, this whole story would have been a nonstarter. I don’t recall if you suggested for node devs to also do this.
Ironically, if the dev who made the hard drive wiping changes had said that it was a protest against the bad practices of the node ecosystem which allowed for their hard drive wiping code to work as intended, I think that the dev would be getting just as much ire cast their way, if not more. This way, they get to perform two protest actions at once.
I’m impressed. I don’t approve of his methods, but I do find the causes justifiable.
With backend code, malicious stuff has to get through testing and hopefully some level of review, which is why the hard drive wiping changes were deliberately obfuscated.
The problem with loading frontend libraries directly from third parties is that they can change that code at anytime and for arbitrary subsets of users.
> The problem with loading frontend libraries directly from third parties is that they can change that code at anytime and for arbitrary subsets of users.
I’m showing my ignorance here, but why does node do this? Is that just a consequence of how JavaScript works in the browser? Could node be designed or used differently so that it doesn’t have these failure modes?
