[Sir_Cmpwn]

The honest answer is a hard truth: you don't use npm at all. The npm ecosystem is out of control and beyond saving. I think it would be wise if someone started a new JavaScript package manager which was run more like a Linux distribution is - trusted third-parties that independently audit and publish new packages.

Retracted: I wanted to audit the rest of npm to see if this payload had made it into any other packages, since if it steals your npm credentials it seems like it could easily become viral. But because npm is a centralized, proprietary service, I can't just download all of the packages from a mirror and examine them myself.

[rattray]

1. You can protect against problems like "a subdependency's patch version automatically bumped to something bad" with a lockfile, either yarn.lock or package-lock.json. Of course, that doesn't help if you chose to update your lockfile in the handful of hours this attack was live.

2. It seems to me that, accordingly, a client-side command to only download packages/versions that have been live for more than n hours/days would decrease the likelihood of downloading malicious code substantially. The community is large and folks tend to find the bad stuff.

3. If independent third parties had to audit code _before_ it could be released, we'd get a lot less code a lot slower.

4. We do have a trusted third-party publish new packages – NPM. They remove malicious content as quickly as they can.

5. Yarn operates a mirror, and there are several CDN's with everything on npm - unpkg.com, cdn.jsdelivr.net/npm, bundle.run. Perhaps one of them will let you download everything for examination.

I wouldn't be surprised if NPM, Inc. would help you audit the rest of the ecosystem if you reached out.

[Sir_Cmpwn]

>If independent third parties had to audit code _before_ it could be released, we'd get a lot less code a lot slower.

So? The JavaScript community could stand to slow down a bit.

>We do have a trusted third-party publish new packages – NPM. They remove malicious content as quickly as they can.

They might publish, but they certainly don't audit. Anyone can publish a package on npm in tens of seconds and it's immediately live for anyone to install. It's not even signed. This looks nothing like a Linux distro.

[Klathmon]

You are free to slow down as much as you want as a developer.

Why is there this call for all software development to slow down? As if the bad actors will also listen and just slow down trying to attack...

[Sir_Cmpwn]

"Move fast and break things" leads to breaking things, it's a shitty and reckless attitude to take towards software development and it puts innocent and vulnerable users at risk.

[Klathmon]

Then don't follow it?

Nobody is forcing you to, I'm building a tiny internal only dashboard right now, move fast and break things works great, because the worst that will happen is our tiny internal dashboard won't work... And spending a ton of time properly engineering and securing a dashboard will be mostly wasted time.

But when I'm working on a core application for the company, I slow down and take my time and actually engineer software.

I don't need all of software development to "slow down" to do that.

[mcguire]

"...because the worst that will happen is..."

... your credentials, development environment, and anything you can access are compromised.

[afarrell]

What data does the dashboard serve? Could you please post some of it here?

[Vinnl]

> So? The JavaScript community could stand to slow down a bit.

It's not "a bit", and it's not just the Javascript community, unfortunately. Practically every software project pulls in heaps of unaudited third-party code.

[Sir_Cmpwn]

I disagree. Most projects pull in an order of magnitude fewer dependencies than your average JavaScript project, if not even fewer.

[Vinnl]

Fewer than npm projects, absolutely. Few enough to be significantly less vulnerable to this attack - I don't think so.

[Sir_Cmpwn]

When was the last time you heard of a Debian package being compromised, for example?

[TAForObvReasons]

The JS community encourages micromodules and leveraging NPM to a fault. We saw that with left-pad years ago, where such a basic function was used all over the place even though it was highly inefficient. That is a testament to how little people actually check their dependencies and just assume others vetted open source code

[Vinnl]

The npm ecosystem is the "worst" in this regard, definitely, but it would be foolhardy to assume that this is not likely to happen to you just because you're not using Javascript, or that slowing down to the level of other ecosystems would prevent this from happening to npm.

[throwanem]

Sure you can. The first public mirror list I know offhand is https://github.com/amio/npm-mirrors/blob/master/index.js.

You can also make your own mirror. See https://eatpeppershothot.blogspot.com/2016/12/how-to-create-... for a quick overview.

Come to think about it, if you're not a fan of the paucity of public mirrors evinced by the first link, you could use the second one to do something significant toward improving that situation. But I grant it's easier merely to criticize.

[Sir_Cmpwn]

I retract my statement about the lack of mirrors.

[austincheney]

> I think it would be wise if someone started a new JavaScript package manager which was run more like a Linux distribution is

I started one but dont have the time to maintain it. If anybody wants to take it just fork it and go: https://github.com/prettydiff/biddle

[rufugee]

It seems that Node would really benefit from a "NPM is a Ghetto" post similar to Zed's Rails rant.

[Jach]

It had that post 7 years ago: https://www.semitwist.com/mirror/node-js-is-cancer.html It was about Node specifically, though, not NPM.

"Yudkowsky's Law of Continued Failure says that if they're dumb enough to do X, they're dumb enough to go on doing X after the next stimulus." In this latest saga of NPM-related fail, it's just another stimulus, so don't expect anything to happen that might address the underlying problems of the ecosystem.

[ricardobeat]

That's a terrible article (such a blind view on async I/O), and totally unrelated to the security model of package managers.

[Jach]

I did say it was about Node, not NPM, but you're right on the article quality too. I even used Node after reading that post..and liked it. But actually I was wrong to even associate it with Zed's post, since Zed's post is mainly about the community and not about the technology. I inferred the call for a similar post on NPM to be technology related and pattern matched on the wrong dimension of "poorly received ranty criticism" entirely! Oh well.

[busterarm]

And risk getting pilloried by the community for being divisive? Or worse, for triggering someone?

Zed has taken a way-out-of-proportion amount of heat (and mostly people just trying to bait him) from people for his confrontational style. Even then, the social climate is much less receptive to that sort of thing now than it was then.