event-stream VS cli

Another possible outcome of "I gave commit rights to someone I didn't know": https://github.com/dominictarr/event-stream/issues/116

Whole npm ecosystem is so fragile.

Remember event-stream[1]? Did we learned something from that? Yes, we might. So was it improved? Never. People are still installing 'new' colors package and wondering why its texts are broken.

What if he uploaded malicious code rather than just just gibberish?

[1]: https://github.com/dominictarr/event-stream/issues/116

foo-bar version 1.0 depends on bada-boom 1.0 which depends on bada-bing 1.0. Now you update to foo-bar 1.1 because of some critical update, which in itself now depends on bada-boom 2.0 and bada-bing 2.0. But unbeknownst to you and the author of foo-bar, the bada-boom and bada-bing project was taken over by another maintainer who made an update, but also added some trojan horse code to specifically attack certain users, which was obfuscated and remained undetected. Which has happened before - not just browser extensions are affected by malicious attackers taking over useful projects.

Because sometimes I make idiotic mistakes and I really don't want that embarrassing stuff out there where people can see. I ran head first into an npm bug once when I tried to symlink the README file which resulted in the thing getting published without a README.

https://github.com/npm/cli/issues/6746

Embarrassing. And then they slapped me with a stupid 24 hour count down on top of it. I seriously hate this thing.

This is the same NPM that made a change causing the `integrity` field to go silently missing from `package-lock.json` [0] when installing packages, and then also not complaining at any other time in the future.

[0] https://github.com/npm/cli/issues/4460

Node.js v21 includes npm v10.2.0, which notably introduces a new sbom command that allows you to generate a Software Bill of Materials (SBOM) for the current project. You can read more about the changes in recent NPM releases on GitHub.

npm ERR! This is an error with npm itself. Please report this error at: npm ERR! https://github.com/npm/cli/issues

You'll need an AWS account and AWS credentials configured locally. We'll use pnpm but you could also use npm or yarn. The finished app is available on github.

~/Documents/amplify-hackathon/amplify-react-graphql-demo main !5 ?3  npm install -g @aws-amplify/cli  1 ✘ 4s 22:11:35 changed 26 packages in 25s 7 packages are looking for funding run `npm fund` for details npm notice npm notice New minor version of npm available! 9.4.0 -> 9.6.5 npm notice Changelog: https://github.com/npm/cli/releases/tag/v9.6.5 npm notice Run npm install -g [email protected] to update! npm notice

10 18.95 npm notice Changelog: https://github.com/npm/cli/releases/tag/v9.6.4

npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated npm WARN deprecated [email protected]: This SVGO version is no longer supported. Upgrade to v2.x.x. added 1692 packages, and audited 1699 packages in 23s 211 packages are looking for funding run `npm fund` for details 27 vulnerabilities (1 low, 7 moderate, 18 high, 1 critical) To address issues that do not require attention, run: npm audit fix To address all issues (including breaking changes), run: npm audit fix --force Run `npm audit` for details. npm notice npm notice New minor version of npm available! 9.5.1 -> 9.6.2 npm notice Changelog: https://github.com/npm/cli/releases/tag/v9.6.2 npm notice Run npm install -g [email protected] to update! npm notice