Here it's clear that the package links to something in a weird, non-standard way. A manual review would tell you that this is not axios.
The package.json lets you link to things that aren't even on npm [1]. You could update this to something like:
"axios": "git://cdnnpmjs.com/axios"
And it becomes less clear that this is not the thing you were intending. But at least in this case, it's clear that you're hitting a git repository somewhere. What about if we update it to the following?
"axios": "axiosjs/latest"
This would pull the package from GitHub, from the org named "axiosjs" and the project named "latest". This is much less clear and is part of the package.json spec [2]. Couple this with the fact that the npm website tells you the project depends on Axios, and I doubt many people would ever notice.
We could do a full write-up on npm's quirks and how one could take advantage of them to hide intent.
Consider the following from the post's package.json:
Here it's clear that the package links to something in a weird, non-standard way. A manual review would tell you that this is not axios.The package.json lets you link to things that aren't even on npm [1]. You could update this to something like:
And it becomes less clear that this is not the thing you were intending. But at least in this case, it's clear that you're hitting a git repository somewhere. What about if we update it to the following? This would pull the package from GitHub, from the org named "axiosjs" and the project named "latest". This is much less clear and is part of the package.json spec [2]. Couple this with the fact that the npm website tells you the project depends on Axios, and I doubt many people would ever notice.[1] https://docs.npmjs.com/cli/v10/configuring-npm/package-json#...
[2] https://docs.npmjs.com/cli/v10/configuring-npm/package-json#...