I would now take care to not use “node-ipc” or any other library made or maintained by the same author, ever.
The sadder part is that an action like this damages the whole system. Sure I should avoid “node-ipc”, but the probability of such things happening with any package has also gone up—perhaps some Russian sympathizer does the same thing in retaliation, or more likely, someone in some unrelated conflict in the future decides to do this because there’s precedent for it. So now I need to worry about all packages, and either do costly extra things like locking all package versions and then manually updating them over time, or perhaps do nothing but expect that I’ll get pwnd more frequently going forward :(
The sadder part is that an action like this damages the whole system. Sure I should avoid “node-ipc”, but the probability of such things happening with any package has also gone up—perhaps some Russian sympathizer does the same thing in retaliation, or more likely, someone in some unrelated conflict in the future decides to do this because there’s precedent for it. So now I need to worry about all packages, and either do costly extra things like locking all package versions and then manually updating them over time, or perhaps do nothing but expect that I’ll get pwnd more frequently going forward :(