[righthand]

I have to say NPM packaging is terrible. I probably spend 1 month of the year fiddling with upgrading packages due to security issues. That is just the amount of time I spend on my repos alone. All of this extra effort to avoid code signing and making package owners accountable.

It seems like every week there is a new security high sev ticket to fix some webpack dependency.

Not to mention that even if you do successfully run “npm audit fix” (—force), Npm may not update to the correct new version and will often downgrade packages many many many versions.

The error messages that Npm spits out have always frightened junior devs too.

I can’t wait for that whole ecosystem to be replaced.

[vdupras]

I have a question. I'm curious.

I see two comments here on this subject, complaining about the churn of dealing with security advisories. Sure, it's churn.

... but isn't this problem dwarfed by the implications of having used a compromised package? Presumably, if the project you work on has a compromised dependency, it means you've ran it on your development machine. Presumably, you might have a couple of secrets (private keys, AWS credentials and other whatnots) lying around, which might have leaked to a malicious actor.

Wouldn't you need to review all the development, staging and production machines for all your projects and rotate secrets everywhere?

Wouldn't it be, by far, the biggest churn involved, so much that mentioning "npm audit" difficulties not worth mentioning at all, because of the ridiculous comparison in effort magnitude?

[rester324]

I think this would be a fair assessment, if the security advisory would be true.

Since it's most probably false, the implications you refer to remain hypothetical, while the cost of cleaning up after npm's decision are measured in real M$s. And I think that's the real issue here.

I am not saying that we should give up on security altogether, but now there is so much toil attached to managing security, compliance and such aspects of the development lifecycle, that at some point managing all these aspects will outweigh all productivity a dev can bring to the project.

It's admittedly a hyperbole, but at that point the whole development procedure would simply become a pointless exercise without any benefit to anyone.

[vdupras]

So I understand that in NPM world, spurious security advisories are common and that the tooling will constantly have you run "fix" commands without real reasons? That's bad and it would explain this lax security culture oozing from it.

So the damage is already done, and real security problems will never be properly addressed. One must come to the conclusion that NPM has to be avoided at all cost if security is a concern at all. Additionally, one must make sure that when onboarding a developer coming from the NPM world into a sane project, they have to be properly de-conditioned with regards to security advisories.

[righthand]

The fix command just upgrades or downgrades the package to the first-known-unaffected-version. Meaning if “audit” api is unaware of a modern version for the fix (due to cache or human latency), then you can be downgraded to when the version before the bug was introduced, for ex. 25 major versions prior or something.

[rester324]

Which is a wrong conclusion if I understand you correctly.

You can just host your own package repo and run your own verification to confirm if a package is indeed vulnerable or not. If it's not, you can just continue your operations as usual, regardless of what NPM (the company, the host provider, not the CLI tool) does in the background.

[righthand]

Not if your IT dept is lazy and has to meet some sort of security compliance, then they force the task on you to develop this “own package repo” or just use Dependabot and force your team to create a quarterly ticket to rake the security bugs out of the code.

[sensanaty]

In my case, stylus is a transient dependency of a transient dependency of a transient dependency... Vite has had stylus as an OPTIONAL peer dependency for a very long time now, and stylus itself has existed for MANY years.

What NPM did here is eradicate every single version of stylus ever published, so the breakage for the large majority of people here is that NPM will now try to fetch a non-existent package, which will cause CI and other scripts that rely on `npm ci` or `npm i` to fail.

It's one thing to get a big scary warning saying "Hey, stylus has a vulnerability, here's an overview of the issue..." and then pushing out the overwritten version as its own standalone version that people can migrate to. Instead, NPM silently overtook a package and overrode it completely. Running `npm audit` in a project affected by this, I see 0 mention of stylus in it, there is ZERO indication anywhere that something about this package is wrong other than the fact that the package basically doesn't exist in the registry anymore. And in my testing so far, things like `package.json` `overrides` fields does not work [1].

So I wouldn't say this is your typical vulnerability situation. They pulled packages with 0 warning or notice to anyone, and their own security audit tooling gives you nothing to go by, and there seems to be basically nothing you can do to fix this, depending on how exactly your project is setup. We're not even sure there is an actual attack or vulnerability, because they don't link to any details literally anywhere! Just take a look at the NPM page [2], there are ZERO details here! And even weirder (could be that NPM just doesn't count downloads this early into a change's lifecycle), the downloads for the version they override is sitting at 0, to me indicating that nobody has been able to even download this, which I can confirm at least anecdotally from me trying to fix this issue myself.

[1] https://github.com/npm/cli/issues/4232 [2] https://www.npmjs.com/package/stylus

[kaelwd]

This article is four years old but still relevant: https://overreacted.io/npm-audit-broken-by-design/

The vast majority of "compromised packages" are just dev dependencies that have a slow regexp.

[righthand]

No the biggest churn involved is now I’m another engineer that prefers to stay away from using, developing on, and recommending javascript platforms.

To your point I think you will find most companies stop at the upgrade high sev packages step and do not have any requirements or churn related to checking for fallout from sevs.

[vdupras]

That's what I suspect as well, but this means that we can assume that there's a giganormous amount of development machines being compromised around the world. If you're a gig worker, you might be exposing your other customers, including those with okay security practices.

It seems crazy to me that there's this ostrich culture about security. I'm guessing the vibecoding fashion doesn't help. Supply chain attacks can only grow exponential from there, flee for your lives.

[sensanaty]

The crazy thing is that `npm audit` doesn't even list `stylus` here, at least not in my repos. Despite them literally overtaking the damn package on the registry for a *security issue*.

[righthand]

It gets even better, Dependabot will spam you severities of it’s own that don’t appear in audit.

So you probably need to carefully audit the changes from two data sources and the security ticket ends up being 2+ merge requests.