SAN FRANCISCO, CA - In the wake of a devastating supply chain attack in the npm registry that left millions of enterprise applications compromised and billions of user records exposed, developers across the JavaScript ecosystem expressed deep sorrow today, lamenting that such a crisis was completely unavoidable.
“It’s a shame, but what can you do? This is just the price of building modern web apps,” said Senior Frontend Engineer Mark Vance, echoing the sentiments of a community that completely relies on a 40-level-deep nested tree of unvetted packages maintained by pseudonymous strangers to capitalize a single string. “There’s absolutely no way to foresee or prevent someone from taking over a long-abandoned utility package and injecting a crypto-miner into every production build in the world. It’s just an act of nature.”
I’m sure there are advatages to making web apps over regular software for OS’s and that supply attacks can happen anywhere… but the idea this is unavoidable is insanity. Stop making reckless “modern” web apps.
Speaking of “modern web apps” does OpenSUSE still use Firefox as an installer? When I tried the new major version on release I watched a browser unexpectedly open and slowly load a page. Coming from a snappy dedicated installer of prior versions, this made me question if I had downloaded malware.
Doesn’t lots of package managers have the exact same problems?
Not linux distro package managers.
Sees the title: It’s npm isn’t it?
clicks: Yeah, It’s npm…
Didn’t pypi have the worm too recently?
Also I have no idea why npm is worse offender than most? Is it that the install scripts can you execute any code they want?
Yes. Install scripts. But also pypi started enforcing 2fa for package pushes, which helps a lot.
For the longest time I was avoiding the npm. But for certain stuff I needed it to set up my Neovim environment, that depends on npm. And reading headlings and articles like these makes me feel very uncomfortable. Not sure if I should re-evaluate my setup.
It doesn’t seem like a crazy idea to me to have some “second tier” of packages that undergo a higher level of scrutiny and have to pass that before they are released in that tier.
Maybe an arbitrary set of security endorsements would be more flexible.
That permits retaining a low bar for just making the stuff initially-accessible in packaged format, but also helps developers in raising the floor.
Like, okay. Say I have something like:
$ cat .config/npmrc required_security_endorsements=["npm_auto_audit", "maintainer_id_validated", "european_cybersecurity_competence_center_tier_1", "nsa_tier_1"] $An attempt to install a release of a package without those endorsements fails.
That’s going to always create pressure to get something a security endorsement so that it can be used by people who only permit packages with some given security endorsement, but it lets parties start running security endorsement projects to improve the situation without excluding any existing projects from pushing stuff to npm.
EDIT: Also, I’ve not done much node.js development, but assuming that the dependencies in a package manifest default to the newest version unless specific frozen versions are mandated, a la PyPI, it might reasonably be able to fall back to versions with the required security level automatically, if they’re available. If the dependency format permits specifying optional dependencies, a particular dependency could be automatically excluded to conform to the security endorsement requirements list.
A much simpler solution is to add all of the basic stuff into the base library so that people don’t need to include 50 packages to do stupidly simple stuff, but Javascript has shown very little desire to harden itself or grow. They have relied on community contribution to fill their missing design holes and now it is biting them in the butt.
Fuck NPM and all the stupid morons that perpetuate it.
I knew I was making the right choice whenever I avoided that dumb shit like the plague.
