Nicholas Zakas

Yeah, so like ESLint, which I help maintain, over 200 million downloads a month.

And we have had from time to time these very mysterious pull requests that show up.

where all it is is somebody changing a dependency with no description or anything.

And when we ask them, hey, what are you trying to do on this?

What's the point of this pull request?

We get nothing.

It doesn't happen a lot, but it's happened frequently enough

that it's always felt to me like a penetration test to see how easy it would be to land a pull request on ESLint because it's downloaded so much.

And knowing that it's going to go out basically immediately to all kinds of CI systems and personal laptops and what have you, we're always very, very careful about changing dependencies and

thinking about which dependencies you want to add into the ESLint package JSON file.

Because there is a big responsibility when you have a package that's downloaded so frequently by so many different people.

And it just kept coming back to like, no matter what I'm doing, no matter what security practices we're putting into place,

it seems like there's always some way for somebody to get in and cause trouble.

And we did have, I want to say, maybe nine or ten years ago, we did actually have a compromised package get into ESLint, but it was one of our own packages, and it was kind of traditional.

Somebody had reused their credentials on another site.

That site had been hacked.

And they ended up having their NPM credentials stolen as a result.

And then they could publish ESLint packages using that.

After that, we changed so that nobody's individual NPM account has published rights for ESLint packages.

But we're still in the situation where we use so many dependencies, and not to mention dependencies of dependencies,