I stumbled across this article, where it was reported that the developer of popular NPM packages colors and faker decided to go rogue and deliberately destroy the usability of their packages. Since many packages depend on those packages (mostly indirectly), this broke many extremely popular tools. It is certainly not the first time this happened in the NPM ecosphere: there was another small NPM package a few years ago, leftpad, which similarly broke millions of packages, and likely there were a few in between that I missed.
I don’t know if this is the right venue to discuss this, or if anyone else is even concerned, but I see similarities to how the Julia package system is set up and I cannot stop asking myself,
- Could something similar happen to Julia as well?
- Did this already happen?
- Is this something the Julia/Pkg.jl “core developers” (whatever that means) think about and are there mitigation strategies in place?
I’d be interested in hearing your thoughts on this, especially when considering that reproducibility is one of the top six (or three, depending on how you see it) unique selling propositions.