Picking up the pieces
At least one project exists as an alternate way to perform package management for Node. The ied project proposes several changes intended to solve some of the issues described above. Packages are identified by their SHA-1 checksums, not merely by a package name, which guarantees that packages are unique and can't be confused with (or arbitrarily substituted for) each other. Semantic versioning is also supported, so a specific version of a package can be fetched.
The design of the early Internet assumed that trust exists between all parties, an assumption that was fine for a closed-ended, academic environment. But as the Internet went public, that assumption has turned into a time bomb, as criminal attackers learned to leverage obsolete protocols or exploit limitations in existing ones.
In the same way, many of the unquestioned assumptions about how NPM works -- and, more generally, how public software repositories work -- may have their biggest tests ahead of them.
Sign up for CIO Asia eNewsletters.