I keep seeing people write this. But how would you ever know if one of your projects depended on a future package he maintains? Do you really track the authors of all packages you use against a shit list? And what if he just uses another name?
And there’s the real problem: a shit ton of people/orgs don’t know what’s in the software they use/ship, and just expect people to DTRT for free, forever.
We need to apply zero-trust everywhere. How do we know anything about anyone online? Unless it comes from a respected company, any npm project author could be a malicious actor just waiting to hit some large number of downloads to surreptitiously add a crypto-miner to it.
I think we just need to assume all of them are bad actors and review our dependencies (yes, unlikely to happen in practice given limited resources but that's a problem for someone else to solve).
I keep seeing people write this. But how would you ever know if one of your projects depended on a future package he maintains? Do you really track the authors of all packages you use against a shit list? And what if he just uses another name?