Modern devs don't care. They just install whatever, let it pull in 1000s of other packages, and continue on their merry way.

Meanwhile, a package you use today, can root your stuff tomorrow. That is, next update and bam! Package was sold to Evil Entity, or just the dev decides to rm your drive based upon geo location.

I get paid a lot to cleanup much of this mess, and while tools such as composer and node.js are useful, they are a horrible, horrible security risks.

If you use node or composer, be prepared for dozens of updates weekly. Each update risk laden, and feature and security fixes all mashed into one.

On a large project, you'd need multiple devs, just to audit all the change.

But as you will soon see, there will be all sorts of $reasons given, which all lack understanding of how traditional Linux distros handle updates, and boil down to "not my problem" or "someome else magically makes it safe!"

Have an unobvious copyright condition, get your code in thousands of projects, then spider the internet looking for companies that use your code, and charge them a $1000 “licensing fee”.

Or change the copyright in v1.1.2.2 and wait until everyone updates, and do the same thing.

> Modern devs don't care

I think the “modern” is superfluous and vaguely insulting: security isn’t/wasn’t cared about by most old-skool developers either!