so it's looking like go's design where dependencies are URLs might have been, correct
to expand on this "dependency confusion" exploit, that's well worth reading, it's a critical, easily exploited, and quite easy to understand supply-chain attack https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

The Story of a Novel Supply Chain Attack

https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
the key concept being exploited here is *late binding*, a technique that's widespread in dynamic and object-oriented programming where a name does not *statically* identify a particular location or implementation, but is resolved to such at runtime
here, "runtime" means whenever your packages get installed
late binding on its own is fine as long as either:

- you fully understand the resolution algorithm, or

- you fully trust all locations that algorithm can resolve to
node's require('name') function is well-understood; there's a known and well-explained process by which 'name' is resolved to a full path to load a module

other languages have a "load path" of searchable directories but the same idea applies
however that works, you can in principle know everything this algorithm *could* load: it's all code that's somewhere on your disk, that you can go and audit
what's less clear, across several package ecosystems, is what the package installer does *at install time* when you have multiple sources configured
and that's where trust comes in. if you only have one source, then you know e.g. the name 'react' resolves to https://www.npmjs.com/package/react 

if you have multiple sources, and you don't know how your installer resolves a name across those sources, you have a problem
npm: react

React is a JavaScript library for building user interfaces.

https://www.npmjs.com/package/react
because a single name is now ambiguous: it could resolve to one of several locations, and some of those locations are outside your control
when you only use the canonical repo, 'react' resolving to https://www.npmjs.com/package/react  is fine, because you know what lives there, who owns it, and you can make a trust judgement about it
npm: react

React is a JavaScript library for building user interfaces.

https://www.npmjs.com/package/react
You can follow @mountain_ghosts.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.