| > If you already had left pad cached then you were not affected by its disappearance. The evidence of course is that when you say "left pad" no one knows what you're referring to because nothing bad ever happened. > If a package needs an install script to be used, to compile some native code for example, you still need to run the install script before you can use the package. This already sounds like a giant red fucking flag, but sure whatever, what you're using needs some compile step. You can be in control of what runs when and where. Heck you could even take the fucking maverick solution and compile the shit once out of band and deploy the compiled binary to your production environment. I know that forethought and planning ahead will come as a fucking shock to the NPM using community, but try it some time, it's really kinda good. > Manually repeating the actions npm does automatically does nothing to protect you from supply chain attacks. I mean it does, inherently, if you're running those actions locally in an environment without production access... Oh noes, your compromised module stole your DB credentials, and your SES credentials to spam all your customers..... and just got a bunch of failures or sent messages to no-one because the environment has dummy data and uses a locked down sending configuration for SES. There is 100% benefit in running that shit in a development environment. > The only thing that helps is to review code before you run it. Right, and somehow you think having the code in question literally in your VCS, waiting for a merge like all the other code... that's not apparently helpful. But hey thanks for proving me right about the unhinged complaints. Stong echoes of "we've tried nothing and we're all out of ideas". |
Most of the recent supply chain attacks specifically target stealing secrets from development environments.
> But hey thanks for proving me right about the unhinged complaints.
I'm sorry if I'm upsetting you, but I am not complaining or trying to provoke you.
"Just check in the dependencies and review them" is not a revolutionary idea. It makes sense in many contexts.
But it is not practical in the overwhelming majority of contexts. React's last minor version bump included 100 files and ~5k changes. It also bumped the versions of 6 direct dependencies, which in turn bumped dependencies, etc.
It is not reasonable for a small (or even medium) team using react to manually review all of the changes and all the changes in react's transitive deps each time they need to update. The problem grows exponentially with all of the other common projects and libraries likely being used in a front end project(vite, react router, redux, vitest, etc).
pick a few non-trivial npm projects and try to audit all of the changes (for all transitive dependencies) for a few releases that bumped dependencies.