from HaraldvonBlauzahn@feddit.org to programming@programming.dev on 16 May 21:43
https://feddit.org/post/29944462
SAN FRANCISCO, CA - In the wake of a devastating supply chain attack in the npm registry that left millions of enterprise applications compromised and billions of user records exposed, developers across the JavaScript ecosystem expressed deep sorrow today, lamenting that such a crisis was completely unavoidable.
“It’s a shame, but what can you do? This is just the price of building modern web apps,” said Senior Frontend Engineer Mark Vance, echoing the sentiments of a community that completely relies on a 40-level-deep nested tree of unvetted packages maintained by pseudonymous strangers to capitalize a single string. “There’s absolutely no way to foresee or prevent someone from taking over a long-abandoned utility package and injecting a crypto-miner into every production build in the world. It’s just an act of nature.”
#programming
threaded - newest
Sees the title: It’s npm isn’t it?
clicks: Yeah, It’s npm…
My thought process exactly.
It doesn’t seem like a crazy idea to me to have some “second tier” of packages that undergo a higher level of scrutiny and have to pass that before they are released in that tier.
Maybe an arbitrary set of security endorsements would be more flexible.
That permits retaining a low bar for just making the stuff initially-accessible in packaged format, but also helps developers in raising the floor.
Like, okay. Say I have something like:
An attempt to install a release of a package without those endorsements fails.
That’s going to always create pressure to get something a security endorsement so that it can be used by people who only permit packages with some given security endorsement, but it lets parties start running security endorsement projects to improve the situation without excluding any existing projects from pushing stuff to npm.
EDIT: Also, I’ve not done much node.js development, but assuming that the dependencies in a package manifest default to the newest version unless specific frozen versions are mandated, a la PyPI, it might reasonably be able to fall back to versions with the required security level automatically, if they’re available. If the dependency format permits specifying optional dependencies, a particular dependency could be automatically excluded to conform to the security endorsement requirements list.
A much simpler solution is to add all of the basic stuff into the base library so that people don’t need to include 50 packages to do stupidly simple stuff, but Javascript has shown very little desire to harden itself or grow. They have relied on community contribution to fill their missing design holes and now it is biting them in the butt.
Great ideas. Who’s going to pay for it? Are opensource devs supposed to wrote the code, maintain it, and audit other people’s code too?
Devs can add these to .npmrc. And in top tier professional workplaces we do things like this. Sure devs can override, but it’s explicit at that point.
In enterprises all packages are copied, scanned, and hosted internally with requests for packages from public locations blocked.
Fuck NPM and all the stupid morons that perpetuate it.
I knew I was making the right choice whenever I avoided that dumb shit like the plague.
Didn’t pypi have the worm too recently?
Also I have no idea why npm is worse offender than most? Is it that the install scripts can you execute any code they want?
Yes. Install scripts. But also pypi started enforcing 2fa for package pushes, which helps a lot.
I think it’s because JavaScript devs have a more promiscuous culture of code reuse than most. In what other language community would something like left-pad justify being its own package?
For the longest time I was avoiding the npm. But for certain stuff I needed it to set up my Neovim environment, that depends on npm. And reading headlings and articles like these makes me feel very uncomfortable. Not sure if I should re-evaluate my setup.
Doesn’t lots of package managers have the exact same problems?
Not linux distro package managers.
Yes, a lot of programming language package managers do have similar problems as npm.
It “regularly happens” in NPM because it has one of the biggest attack surfaces. You think hackers are spending a meaningful amount of time taking over abandoned Lua projects?
I’m sure there are advatages to making web apps over regular software for OS’s and that supply attacks can happen anywhere… but the idea this is unavoidable is insanity. Stop making reckless “modern” web apps.
Speaking of “modern web apps” does OpenSUSE still use Firefox as an installer? When I tried the new major version on release I watched a browser unexpectedly open and slowly load a page. Coming from a snappy dedicated installer of prior versions, this made me question if I had downloaded malware.