[r6203]

Are other languages/runtimes also that risky as Node with npm?

npm packages seem like a cardhouse.

I know that the node_modules folder is often times criticized for its sheer amount of 3rd party libraries. Is it because of JavaScripts "missing" standard library?

[chakkepolja]

I will be downvoted to hell for saying this. But javascript ecosystem is where most newbies come. (Low barrier to entry and it also seems hip). With no regards to security, maintainability or reliability, fashion chasing blog-happy hipsters.

The amount of churn in JS ecosystem, security incidents like this and general crappiness of websites can be generally explained by how immature these hipsters are.

[heurisko]

PHP has a similarly low barrier to entry, but doesn't seem to suffer as much as JS.

Perhaps because dependencies are more curated in PHP due to clusters of dominant frameworks, rather than a proliferation of smaller libraries.

[chakkepolja]

Not disagreeing with organization around frameworks in PHP, but apparently PHP suffered a lot from low barrier, in terms of security especially. That was the time package management wasn't that widespread yet, which IMO limited this kind of stuff. But there were, for sure, many applications where PHP could be blamed for security incidents and general unreliability. PHP improved quite well though.

Now PHP isn't hip anymore, node js is super popular hip thing, and every tom dick and harry from art school in US or 3rd tier engineering college in India will slap together three todo list applications on Resume and wants to call himself full stack developer. Internet is fast, hardware is fast, no one cares about pile of dependencies sitting beneath them.

Add to that resume driven development where every JS wants to write libraries and become github-famous. 30-line libraries will be considered a joke and it will be shameful to brag about such things in any other ecosystem.

[heurisko]

I was also thinking that the "blast radius" for PHP was lower, as there wasn't the same culture around creating packages.

Until composer, there wasn't much of a culture around creating packages full stop, apart from PEAR, which beginners didn't create packages for.

[sanbor]

In 2019, 11% of all vulnerabilities listed by the National Vulnerability Database were linked to PHP; historically, about 30% of all vulnerabilities listed since 1996 in this database are linked to PHP. [1]

Also early this year there were news that git.php.net was compromised and a backdoor was introduced into PHP, but lucky enough the backdoor was catch before a production release.[2][3]

1: https://en.wikipedia.org/wiki/PHP#Security

2: https://arstechnica.com/gadgets/2021/03/hackers-backdoor-php...

3: https://flast101.github.io/php-8.1.0-dev-backdoor-rce/

[heurisko]

I was referring to security issues regarding dependency management.

The git.php.net server was also not compromised, as far as I know, from a PHP vulnerability that was active at the time.

[cutemonster]

Also, almost all websites use Javascript but not that many use PHP. So Javascript dependencies ought to be a more lucrative target?

[ricardobayes]

What's wrong with being fashionable? Most excellent devs I know have great fashion sense. Neckbeards and promo t-shirts are over.

[chakkepolja]

Fashionable != fashion chasing

[jacquesm]

Npm is pretty unique in the low bar it sets for security. What is really frightening is how these cases are discovered, more or less by accident, rather than by some kind of verification process that ensures this simply can not happen before QA catches it on the way to a release.

[Aulig]

I think pip occasionally has comparable attacks, last I heard they were mostly from typo-squatting packages though.