Comment by frollogaston
12 hours ago
It's not like npm is particularly bad at handling supply-chain attacks, it's just a very popular ecosystem and gets targeted more as a result. Idk how you truly solve this without code audits, and if anything the more popular/visible packages will be audited more.
Btw, left-pad fallout wasn't all that bad. It's not like the author put something malicious into the code. For less than a day, people couldn't download that dep from npm. If someone really needed to fix a build, they could copy in a backup. Pretty sure a typical C++ or Python project build gets broken on its own more often than that.
> Idk how you truly solve this without code audits
Idk either, but code audits are definitely a solution. Take Debian packages for instance. Debian has package maintainers, and while they may no do full audits, they will at least test it before publishing. In addition, it doesn't get in the "stable" release before an extensive testing phase. Security patches are usually backported.
Or do like with the Apple App Store, where you don't get to publish anything unreviewed.
These are not perfect solution, there is no such thing as a perfect solution. For instance, Debian is famously lagging behind in versions, and the App Store will sometimes reject your app for no good reason, while being expensive. In every case there is some barrier to entry, a slow process, and it costs time and money, but that mitigates some of the issues.
Npm seems to have very little safeguards, has a culture of always taking the latest version, and as a result is often victim to supply-chain attacks. I don't think it is just popularity. Debian is really popular too, but AFAIK, it doesn't have this problem, in fact, one of the best known supply-chain attack is the xz library, and Debian didn't fall to it.