[megumax]

That's not really a solution to the problem because the attacker might change the contents of the package instead of adding `postinstall` or `preinstall` hooks.

The more realistic solution would be teams of volunteers that are auditing the packages and check the differences between specific versions of those. This doesn't block all possible infected packages, but most of them, which is better than what we have now. Everything is based on trust so you can't stop this, but maybe prevent it.

[dane-pgp]

> the attacker might change the contents of the package instead of adding `postinstall` or `preinstall` hooks.

Ultimately, any code inside an npm package needs to be run by default in the context of a sandbox, such as vm2 or SES. That way a developer would have to opt in to granting permissions for a package to run executable code.

https://github.com/patriksimek/vm2

https://medium.com/agoric/ses-securing-javascript-in-the-rea...

[morelisp]

Ultimately, JavaScript needs to change the culture around its dependency packaging.

[theli0nheart]

Good luck with that.

[rndhouse]

Hello megumax!

I'm working on a solution along the lines that you've suggested:

https://github.com/vouch-dev/vouch

Vouch lets users create and share reviews for NPM packages. Project dependencies can then be checked against those reviews.

Vouch uses extensions to interface with package ecosystems. Extensions currently exist for NPM, PyPi, and Ansible Galaxy.

I'm currently working on a website to index known reviews and publish official reviews.

Drop by the Matrix channel if you have any feedback or thoughts to share: #vouch:matrix.org