Does the NPM faker/colors story relate to/affect the Julia package system?

I stumbled across this article, where it was reported that the developer of popular NPM packages colors and faker decided to go rogue and deliberately destroy the usability of their packages. Since many packages depend on those packages (mostly indirectly), this broke many extremely popular tools. It is certainly not the first time this happened in the NPM ecosphere: there was another small NPM package a few years ago, leftpad, which similarly broke millions of packages, and likely there were a few in between that I missed.

I don’t know if this is the right venue to discuss this, or if anyone else is even concerned, but I see similarities to how the Julia package system is set up and I cannot stop asking myself,

  1. Could something similar happen to Julia as well?
  2. Did this already happen?
  3. Is this something the Julia/Pkg.jl “core developers” (whatever that means) think about and are there mitigation strategies in place?

I’d be interested in hearing your thoughts on this, especially when considering that reproducibility is one of the top six (or three, depending on how you see it) unique selling propositions.

1 Like

Compat does help but it won’t solve everything

Various troubles people have had Search results for 'downgrade' - JuliaLang

That random package you installed from GitHUb because of CoolFeature could turn round and rm -rf all your files, execute a RansomeWare attack etc. when you ]update and run it.