* Even for those that do something might slip through the cracks, particularly given how deep and wide some dependency trees go in the current JS ecosystem.
* Such attacks would still cause you problems once your audit spots one: you now have to hold back a version, perhaps back-porting security fixes, at least until you can migrate to another package or create your own (or, rather than creating fresh, decide to continue maintaining a fork of the affected one). And you may need a deeper audit, checking to see if anything else slipped by earlier that has left dangerous traces.
And the existence of dependency audits doesn't make damaging protest updates like this right any more than the existence of secure zips makes pick-pocketing those without them fine.
> Such attacks would still cause you problems once your audit spots one: you now have to hold back a version
That's not a problem caused by this "attack". You should assume that any open source project you use is unmaintained unless you have a support contract and that it will never get any updates again. A lot of these packages have a bus factor of 1 with no backup plan.
* Many don't.
* Even for those that do something might slip through the cracks, particularly given how deep and wide some dependency trees go in the current JS ecosystem.
* Such attacks would still cause you problems once your audit spots one: you now have to hold back a version, perhaps back-porting security fixes, at least until you can migrate to another package or create your own (or, rather than creating fresh, decide to continue maintaining a fork of the affected one). And you may need a deeper audit, checking to see if anything else slipped by earlier that has left dangerous traces.
And the existence of dependency audits doesn't make damaging protest updates like this right any more than the existence of secure zips makes pick-pocketing those without them fine.