• nyan@lemmy.cafe
    link
    fedilink
    English
    arrow-up
    18
    ·
    8 months ago

    The official repositories often have no useful oversight either. At least once a year, you’ll hear about a malicious package in npm or PyPI getting widespread enough to cause real havoc. Typosquatting runs rampant, and formerly reputable packages end up in the hands of scammers when their original devs try to find someone to hand them over to.