Clarifications about dependency chains

ChALkeR · ChALkeR · commit 9133f15954ca · 2017-06-22T23:29:19.000+03:00
diff --git a/Gathering-weak-npm-credentials.md b/Gathering-weak-npm-credentials.md
@@ -1,6 +1,7 @@
 # Gathering weak npm credentials
 
-_Or how I obtained direct publish access to 13% of npm packages (including popular ones)._
+_Or how I obtained direct publish access to 13% of npm packages (including popular ones)._\
+_The estimated number of packages potentially reachable through dependency chains is 52%._
 
 ---
 
@@ -44,6 +45,9 @@ In total, there were 66876 public packages from 15495 accounts directly affected
 
 Taking dependencies into an account, to my estimations about 52% of the ecosystem was affected — i.e. that number of packages install affected ones along with them through dependency chains.
 
+_That said, dependency chains and semver are not the culprits — grouping deps into larger modules wouldn't have fixed anything and breaking semver would have caused more security problems.
+I will (hopefully) cover that later, but [@joepie91](https://github.com/joepie91) has some notes about that in [his gist](https://gist.github.com/joepie91/828532657d23d512d76c1e68b101f436)._
+
 ### Overall
 * In total, I found **15568 valid credentials for 15495 accounts** since this May.
 * Of those, 15343 accounts have published something (I was targeting only those for everything but npm credentials leaks). The total number of such accounts on npm was 125665, so that gives us **12% of accounts with leaked or weak credentials**.
