|
|
|
|
|
|
by deckard1
1847 days ago
|
|
|
This is true of anything you find on github as well. Open source works on the idea that "given enough eyeballs, all bugs are shallow." The thing people forget is the "enough eyeballs" part. As if people are sitting around auditing every sub-dependency of a sub-dependency of React. In addition, I don't know of any package repository that requires the authoritative source[1] from github to match the compiled/minified/etc. package that is uploaded and published. And I suspect most repos are vulnerable to this. There are many popular but unloved packages out there. [1] I'd also point out how incredibly stupidly dangerous it is that the open source community has basically given Microsoft the keys to be the authoritative source for all of open source. No one has learned a damn thing. And, somewhat ironically, Microsoft buying out an entire user base for their own nefarious purposes really fits the topic at hand. |
|
|
1) Package managers are a huge security risk.
2) Recursive dependencies massively increase that risk.
3) You should check all your dependencies into your repo, or at least some kind of manifest with secured signatures of those dependencies, and never automatically update dependencies.
I see a few things that can improve this situation by quite a lot:
1) Languages should provide an extensive and expressive standard library of some sort, either one bundled with the language, or a tightly vetted and controlled set of first-party dependencies.
2) Package managers should not automatically resolve recursive dependencies, but should force users to manually add all dependencies of any dependency that is added. This additional friction would force you to acknowledge all the risk you are taking on by adding dependencies, and it would force the ecosystem as a whole to reduce the number of dependencies.