‘No Way To Prevent This,’ Says Only Package Manager Where This Regularly Happens
kevinpatel.xyz
SAN FRANCISCO, CA - In the wake of a devastating supply chain attack in the npm registry that left millions of enterprise applications compromised and billions of user records exposed, developers across the JavaScript ecosystem expressed deep sorrow today, lamenting that such a crisis was completely unavoidable. “It’s a shame, but what can you do? This is just the price of building modern web apps,” said Senior Frontend Engineer Mark Vance, echoing the sentiments of a community that completely relies on a 40-level-deep nested tree of unvetted packages maintained by pseudonymous strangers to capitalize a single string. “There’s absolutely no way to foresee or prevent someone from taking over a long-abandoned utility package and injecting a crypto-miner into every production build in the world. It’s just an act of nature.”
  • minfapper@piefed.socialEnglish
    61·
    16 hours ago

    “Look at how all these much smaller package ecosystems don’t have the problems of the largest one.”

    is the tl;dr of this article.

    • esc@piefed.socialEnglish
      1·
      2 hours ago

      Npm having a lot of packages at least partially a problem of lacking standard library, no? And partially developer culture where every trivial thing is a package. Anyway, similar thing will happen to rust soon enough (*looks at 1 gig of dependencies for a cli program*).

  • numbermess@fedia.io
    6·
    1 day ago

    I made a wrapp er script named npm on my $PATH that passes input to pnpm instead because of this. I don’t think my team is ready to adopt something like that, but it seems to be working okay so far. Nobody has complained.

    • corsicanguppy@lemmy.caEnglish
      5·
      1 day ago

      Npm repos violate iso27002. So, it’s out. And we remember why iso27002 is important when we see news like this.