Does every “registry” or “hub” have to repeat the same mistakes? It’s not like the same didn’t happened on pypi, npm, crates, and who knows how many others.
these all inherently trust the code submitted to them. scanning tools cost a lot of money, but even the best scanning tools can't begin to detect malicious activity, because malicious activity often looks exactly like legitimate activity.
While no automated tool can accurately catch all malware, I'm building Packj [1] to provide objective security insights into software artifacts. Auditing hundreds of direct/transitive dependencies manually is impractical, but Packj can quickly point out spawning of shell, use of SSH keys, mismatch of GitHub code vs packaged code (provenance), etc.
It’s a noble mission, but eventually a pointless one, I believe. It looks more and more like the entire strategy of having a bazillion mini repos all importing each other is doomed to fail.
But hey, maybe I’m wrong and all those automated auditing tools actually manage to keep dependencies sufficiently safe.
That would be the best outcome, but I am increasingly pessimistic. There is just too much to gain.
> It looks more and more like the entire strategy of having a bazillion mini repos all importing each other is doomed to fail.
I think it's already a failure for some people, because of problems like the one this thread is about.
I and a few others I know advocate against using libraries if at all possible, and always when the library is small with few methods, both so that you can know what you're running (always a good idea, of course) and so you can gain the experience of solving that problem. I believe that writing different parts of software will make you better at writing all software; writing ORMs all day won't help you get better at reading binary files, for example.
People always look at me very strangely when I say "avoid libraries when possible" but I think the idea that libraries are an open doorway for malware is going to be more and more obvious as time goes on. Browser extensions are constantly sold to bad actors for large sums of money, because the amount of money offered can be life-changing for the extension author. It's going to happen more and more with libraries as well.