Comment by jimmyl02
2 months ago
this being the 2nd large compromise of the week is not boding well from the NPM ecosystem...
supply chain is and has been the new gold mine for bad actors it seems
2 months ago
this being the 2nd large compromise of the week is not boding well from the NPM ecosystem...
supply chain is and has been the new gold mine for bad actors it seems
There have been practical suggestions that could prevent this but NPM has not yet adopted:
- Prevent publishing new package versions for 24–48 hours after account credentials are changed.
- Require support for security keys.
The most important is just having authors sign their code and packages, and verifying code that is signed on download, like every sane Linux distro goes.
Except NPM rejected this over and over going back to 2013.
https://github.com/npm/npm/pull/4016
Some of the reservations around GPG and PKI are understandable. GPG signing clearly works for OS package managers where there is more control, but it's been a failure on PyPi, RubyGems and Maven.
I'd love to see npm adopt keyless signing like PyPi are doing with https://peps.python.org/pep-0740/.
2 replies →
>NPM has bigger problems - no adults in the room! For example, they've been rejecting signed packages since 2014 or thereabouts?
Expect npm repos to be overflowing with AI-submitted crap that will lower the signal substantially due to not having any sort of identify via signing.