*bad Devs
Always look on the official repository. Not just to see if it exists, but also to make sure it isn’t a fake/malicious one
*bad Devs
Or devs who don’t give a shit. Most places have a lot of people who don’t give a shit because the company does not give a shit about them either.
What’s the diff between a bad dev and a dev that doesn’t care? Either way, whether ist lack of skill or care, a bad dev is a bad dev at the end of the day.
I can be good at a trade, but if I’m working for a shit company with shit pay and shit treatment, they’re not going to get my best work.
You get out what you put in, that’s something employers don’t realise.
The difference is whether the fault for the leak of your personal data rests with the worker who was incompetent, or the employer who didn’t pay for proper secure software.
You’d be surprised how well someone who wants to can camouflage their package to look legit.
True. You can’t always be 100% sure. But a quick check for download counts/version count can help. And while searching for it in the repo, you can see other similarly named packages and prevent getting hit by a typo squatter.
Despite, it’s not just for security. What if the package you’re installing has a big banner in the readme that says “Deprecated and full of security issues”? It’s not a bad package per say, but still something you need to know
Yeah, I’m confused on what the intent of the comment was. Apart from a code review, I don’t understand how someone would be able to tell that a package is fake. Unless they are grabbing it from a. Place with reviews/comments to warn them off.
the first most obvious sign is multiple indentical packages, appearing to be the same thing, with weird stats and figures.
And possibly weird sizes. Usually people don’t try hard on package managing software, unless it’s an OS for some reason.
The official repositories often have no useful oversight either. At least once a year, you’ll hear about a malicious package in npm or PyPI getting widespread enough to cause real havoc. Typosquatting runs rampant, and formerly reputable packages end up in the hands of scammers when their original devs try to find someone to hand them over to.