---
title: Untrusted Projects
#date: 2022-04-01
#version: 0.0.1
categories:
    - Development
tags:
    - "C#"
    - Typescript
    - Rust
    - Semantic Releases
summary: >
    One person's idea of how to handle malicious or unreviewed packages across most languages.
---

The open-source ecosystem is huge with thousands upon thousands of developers creating billions of projects across multiple languages. Most of the time, these packages are pushed up to a centralized sites for discovery and download. Because of the scope, that also means that there are almost no reviews of the individual packages nor is there a decentralized way of identifying the malicious implementations out there.

This is the crux of the problem. As an ecosystem acquires [more packages](./counts.md), there is always a risk of [a malicious developer](https://psychopathyis.org/stats/) creating a package to benefit them in some manner. It might be stealing information, protesting [current events](https://www.theregister.com/2022/03/18/protestware_javascript_node_ipc/), [making money](https://securityintelligence.com/news/popular-javascript-library-for-node-js-infected-with-malware-to-empty-bitcoin-wallets/) or simply just to destroy. But those individual packages are difficult to detect, more so when other developers are mandated with keeping packages up to date or the package itself is nested as dependency of another one.

What this [plot](/garden/) is to list one possible approach to handling this problem, along with some suggestions and next steps, because complaining about a system without coming up with a system isn't very productive. Naturally, this an attempt to create a [standard](https://www.explainxkcd.com/wiki/index.php/927:_Standards) but one that I think needs to be done sooner or later.