12th March 2019

Laurie Voss, a Co-founder and Chief Data Office of NPM(A package manager for JavaScript, and a huge database of public and private JavaScript packages), had an interesting story to tell on Twitter:

My first reaction was something akin to "How the hell do you do this by mistake?". Surely publishing a package to NPM has just enough friction that you don’t publish private IP to a public repository.

You have to also keep in mind thatNPM have supported private repositories since 2014, and also offer a full enterprise solution already, NPM Enterprise.

4 responses to “A Major Bank Accidentally Published Private Code to the Public NPM Registry”

  1. ChrisHannah says:

    @oyam That is a very good point! I’m guessing it could have been a quick decision by an inexperienced dev, that just wasn’t picked up for a while.

  2. oyam says:

    @ChrisHannah I always felt that once you get over certain threshold of people, any more just makes things worse.

    Also, you’d be surprised how many junior people work at banks and the responsibility/trust they put on them.

  3. ChrisHannah says:

    @EddieHinkle it seems strange to me, because surely there had to be so many technical people involved in the process!

  4. Eddie Hinkle says:

    Wow… just wow. That seems crazy but is also believable. It’s crazy how much large institutions and the people inside them can misunderstand things.

Leave a Reply

Your e-mail address will not be published. Required fields are marked *