Hacker News new | ask | show | jobs
by cromka 78 days ago
> NPM clients should not install freshly published packages.

That would be a beautiful example of Cobra effect: what about updates that fix vulnerabilities? You're gonna force users to wait couple days or a week before they can get malware removed?
2 comments
mcintyre1994 77 days ago
In cases like this that isn’t an issue, NPM takes the malicious package down and you roll back to the previous version.

The problem would be new versions that fix security issues though, and because this is all open source as soon as you publish the fix everyone knows the vulnerability. You wouldn’t want everyone to stay on the insecure version with a basically public vulnerability for a week.

link
cromka 77 days ago
Precisely my point.
link
Chyzwar 78 days ago
This could be controlled by npm. Client ask for available versions anyway. If package is security fix then it can be made available instantly. But this delay gives time for security scanners and time to notify maintainers that package was published.
link
mcintyre1994 77 days ago
Then the malicious packages would always be published as a security fix.
link