[ab_testing]

Given the recent npm attacks, is it even safe to develop using npm. Whenever I start a react project, it downloads hundreds of additional packages which I have mo idea about what they do. As a developer who has learnt programming as a hobby, is it better to stick to some other safe ways to develop front end like thyme leaf or plain js or something else.

When I build backend in flask or Django, I specifically type the python packages that I need. But front end development seems like a Pandora box of vulnerabilities

[silverwind]

All package ecosystems that allow unvetted code being published are affected, it just happens that npm is by far the most popular one, so it gets all the news.

[socalgal2]

It's no different anywhere else. I just downloaded jj (rust), it installed 470+ packages

When I downloaded wan2gp (python) it installed it install 211 packages.

[brabel]

Oh man you pick the one other language that followed the JavaScript model?! How about C, Java, Go, Lisp, C#, C++, D… and new ones like Odin that are explicitly against package managers for this very reason.

[alt227]

When you start writing with C, where do you get your stdio.h file? Do you write it yourself, or inspect it line by line every time or do you trust the installation package you just ran?

[johnisgood]

Your OS. glibc / musl.

[alt227]

Exactly, you are trusting an OS or library which could very much be maliciously interfered with.

I would be willing to bet attacks on linux upstream libraries are already happening in the same way as the js ecosystem.

[brabel]

Hm... if you use something like Debian it's quite difficult to get your package installed in the distro. People do review everything that goes in. I find it incredibly silly to compare something like that to npm, where every kid has dozens of packages installed that anyone using npm can end up downloading and no one is really reviewing anything.

[johnisgood]

What makes you think that this is the case?

And yeah I'm trusting my OS (Linux) and the libraries that is in their repository.

We could go deeper than that. What about hardware? None of it is open source.

Where does it end? What can we do about it?

[klabb3]

> It's no different anywhere else.

But it is. Both C/C++ and Go are not at all like this.

I don’t know about Python but Rust ecosystem tends attract enthusiasts who make good single purpose packages but that are abandoned because maintainers move on, or sometimes forked due to minor disagreements similar to how Linux/unix is fragmented with tribal feuds.

[alt227]

All languages use libraries that come from somewhere.

Even your OS upstream packages could be tainted at this point.

[immibis]

Go is like this...

[BrouteMinou]

M'yea, good luck finding such occurrence with NuGet or Maven for example. I would rephrase your "anywhere else".

NPM is a terrible ecosystem, and trying to defend its current state is a lost cause. The energy should be focused on how to fix that ecosystem instead of playing dumb telling people "it's all ok, look at other, also poorly designed, systems".

Don't forget that Rust's Cargo got heavily inspired by NPM, which is not something to brag about.[0]

> "Rust has absolutely stunning dependency management," one engineer enthused, noting that Rust's strategy took inspiration from npm's.

[0]https://rust-lang.org/static/pdfs/Rust-npm-Whitepaper.pdf

[scuff3d]

One of the biggest things that pushes me away from Rust is the reliance on micro dependencies. It's a terrible model.

[codedokode]

What's wrong with micro dependencies? Isn't it better to download only the code you need? Also it makes refactoring easier, and enforces better architecture.

[CraigJPerry]

Larger attack surface - you just need one of those N dependencies to fall for a spear phishing attack and you're cooked. Larger N is necessarily worse.

It depends on the software being written, but if it's a product your business sells or otherwise has an essential dependency on, then the best model available right now is vendoring dependencies.

You still get all the benefits of standing on top of libraries and frameworks of choice, but you've introduced a single point of entry for externally authored code - there are many ways you can leverage that to good effect (vuln scans, licence audits, adding patch overlays etc etc) and you improved the developer experience - when they check out the code, ALL of the code to build and run the project is already present, no separate npm install step.

You can take this model quite a bit further and buy some really useful capabilities for a development team, like dependency upgrades because they're a very deliberate thing now, you can treat them like any other PR to your code base - you can review the changes of each upgrade easily.

There's challenges too - maybe your npm dep builds a native binary as part of it, you now need to provide that build infra / tooling, and very likely you also want robust build artifact and test caching to save wasting lots of time.

[jraph]

Dependency management is work. And almost nobody does this work seriously because it has become unrealistic to do, which is the big concern here.

You now have to audit the hundreds of dependencies. Each time you upgrade them.

Rust is compiled and source code doesn't weigh that much, you could have the compiler remove dead code.

And sometimes it's just better to review and then copy paste small utility functions once.

[procaryote]

> Rust is compiled and source code doesn't weigh that much, you could have the compiler remove dead code.

I get the impression that one driver to make microdependencies in rust is that code does weigh a lot because the rust compiler is so slow.

For a language with a focus on safety, it's a pretty bad choice

[jgtrosh]

Is this bait? The whole context is malicious software being installed en masse via NPM micro dependencies.

[rwmj]

They should just be part of the stdlib of the language.

[wongarsu]

Rust has a really big and comprehensive stdlib, especially compared to languages like C or JavaScript. It just decided that certain things won't be solved in the standard lib because there is no obviously-right solution and evolving towards a good solution is much easier in packages than in the stdlib, because the stdlib isn't versioned.

Some of the gaps feel huge, like no random, no time/date handling, and no async runtime. But but for most of them there are canonical packages that 95% of the ecosystem uses, with a huge amount of eyeballs on them. And sometimes a better solution does emerge, like jiff slowly replacing chrono and time for time/date handling.

Obviously this isn't the best solution from a security perspective. There would be less potential for supply chain attacks if everything was in the standard library. But that has to be weighed against the long-term usability of the language

[scuff3d]

No, I'd much rather a trusted source, like the language developers themselves, provide as much as possible.

And those last two points have absolutely nothing to do with micro dependencies one way or the other.

[immibis]

https://thecodelesscode.com/case/119

[maxloh]

I come from a JavaScript background, and I've got to admit that the ecosystem is designed in a way that is really prone to attack.

It is like the xz incident, except that each dependency you pull is maintained by a random guy on the internet. You have to trust every one of them to be genuine and that they won't fall into any social engineering attacks.

[TZubiri]

Here's my black pill: Node in general is not safe.

The blurring of the client-server lines is a security risk. Very easy to expose the wrong thing; the language appeals to people who know 1 language (which correlates with lack of experience).

In my personal experience node projects developed under my supervision had very basic client-server boundary vulns 66.67% of the time. Empirically it's not great.

[fragmede]

Just a heads up that Pypi isn't immune from the same attack, with "Pypi supply chain attack" into Google revealing a (much smaller) number of packages that turned out to be malware. Some were not misspellings either, with one being a legitimate package that got hacked via GitHub Actions and a malicious payload added to the otherwise legitimate package.

[graemep]

Definitely, and you should be aware of the risk and think about and assess your dependencies.

Having a large standard library does reduce the number of dependencies, and you can go a long way using only well known dependencies.

[tjpnz]

No language ecosystem is but NPM/Node still encourages this idea (borrowed elsewhere and interpreted poorly) that everything must be its own tiny package and that it's acceptable to author libraries consisting of thousands of transitive dependencies from potentially dubious sources. Just this week I saw one (unmaintained dependency of a popular package) which consisted of a list of a dozen SQL operators. Anywhere else you would just write the damn code, maybe add a comment that these are the SQL-92 operators and be done with it literally forever. But in Node land that would be viewed as an antipattern which only another package can fix. It's a security and maintenance nightmare that can only be explained by laziness and outright stupidity.

[silverwind]

It's a misconception that NPM or Node encourage this, because they don't. There are a few package authors that are doing it that way (some even paid by download count), but that's their opinion.

Recently there is a trend towards minimal-dependency packages and I would certainly recommend auditing every package for its dependencies before using it.

[azangru]

> As a developer who has learnt programming as a hobby, is it better to stick to some other safe ways to develop front end like thyme leaf or plain js or something else.

Oh, absolutely, there is no question about it. Fewer dependencies means less headache; and if you can get the number of your dependencies to zero, then you have won the internet.

[johnisgood]

Sounds like... C.

[nektro]

this is one of the less talked about benefits of using bun

[Defletter]

How does Bun avoid this? Or is it more that Bun provides things that you'd otherwise need a dependency for (eg: websockets)?

[lioeters]

From a link mentioned elsewhere in the thread:

> Unlike other npm clients, Bun does not execute arbitrary lifecycle scripts for installed dependencies, such as `postinstall` and `node-gyp` builds. These scripts represent a potential security risk, as they can execute arbitrary code on your machine.

https://bun.com/docs/guides/install/trusted

I've also found the Bun standard library is a nice curated set of features that reduces dependencies.

[Defletter]

Hmmm, it still has a pretty extensive default list of permitted npm packages, which wouldn't necessarily be a problem if there were a way to disable it, but I can't seem to find it.

[nektro]

the latter is what i was getting at yeah. updated list of standard library-esque functions implemented in native code so the need to reach to npm for a dependency happens far less often.