@hongminhee@hollo.social · Reply to happyborg
@happyborg Setting GitHub aside, I just can't understand why npm still isn't a non-profit foundation. And why the JavaScript community just lets it happen.
2 replies
@strypey@mastodon.nzoss.nz · Reply to 洪 民憙 (Hong Minhee) :nonbinary:
@hongminhee
> I just can't understand why npm still isn't a non-profit foundation
I can't understand why anyone keeps using npm despite their ongoing inability to avoid delivering malicious software from their repos;
https://thehackernews.com/2025/12/27-malicious-npm-packages-used-as.html
They have one job; reviewing the code they host, and the maintainers of that code, for quality control. They fail constantly.
thehackernews.com
27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials
Researchers uncovered 27 malicious npm packages used over five months to host phishing pages that steal credentials from targeted organizations.
@happyborg@fosstodon.org · Reply to 洪 民憙 (Hong Minhee) :nonbinary:
@hongminhee unless someone makes it happen it can't happen, and it's not an easy task.
I'm so pleased that there are people who can and do do these things though. So I support Codeberg for example and had a good go at moving my (rather minimal) CI over. I was nearly there but didn't have time to complete it, so everything except release builds (Rust, Svelte + Rust, CLI and Tauri) happens on #Codeberg.
I think it was just builds for Mac I didn't complete.