* User removes 'alert' from npm, last version was 1.1.0
* Consumers with "alert": "^1.0.0" now have broken builds
* Troll grabs "alert", publishes 1.1.1 with a "postinstall" hook that steals personal data / installs a trojan / deletes data
* Major numbers of development machines and some production environments are now compromised
Shrinkwraps should also include a package hash to protect users against the repository. I'm starting work on a PR to `ied` that will do this.
* User removes 'alert' from npm, last version was 1.1.0
* Consumers with "alert": "^1.0.0" now have broken builds
* Troll grabs "alert", publishes 1.1.1 with a "postinstall" hook that steals personal data / installs a trojan / deletes data
* Major numbers of development machines and some production environments are now compromised
Shrinkwraps should also include a package hash to protect users against the repository. I'm starting work on a PR to `ied` that will do this.