Well. Depends, if your package Version links to a commit hash, you should be rat... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		leipert on Nov 25, 2019 \| parent \| context \| favorite \| on: Pika – A JavaScript package registry for the moder... Well. Depends, if your package Version links to a commit hash, you should be rather secure. One could delete it but not overwrite it as easily.

icebraining on Nov 25, 2019 [–]

One could presumably push a new version, linked to a commit that contained (directly or as an ascendant) some malicious code.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact