Stephen Downes

In software ecosystems developers often depend on prebuilt modules and functions called packages, such as (in this case) the Node Package Manager (NPM). These are independently maintained and upgraded by developers around the world. The most common problem is version control - using packages that work well with each other. But this article describes another major problem: bad actors infiltrating packages with malware. The unsuspecting developer imports the package - and the malware - into the final product. GitHub and other agencies are tightening access control in attempt to make packages more secure, but I wonder whether the better approach might not be to dispense with them altogether. When building CList I eschewed prebuilt packages and asked the AI to create the functions from scratch. This may be a safer approach in the long run, because it would be a lot harder to infiltrate an entire AI engine than a single package. See also: the Register.