Original Release date: 25 Mar 2016 | Last revised: 26 Mar 2016 Overview npm allows packages to take actions that could result in a malicious npm package author to create a worm that spreads across the majority of the npm ecosystem.
I always thought there was something kind of lax about npm... That said, I wonder about stuff like this w.r.t. other language package managers. For instance, how much of Ruby Gems or Perl CPAN is reviewed? And those can both run stuff with root privileges. Likewise the repos for tools like Docker and Vagrant. Those have officially approved containers, but I wonder how many people/companies use third-party ones as bases for critical stuff.