← Back to context

Comment by broeng

9 hours ago

Compared to the Java ecosystem, I think there's a couple of issues in the NPM ecosystem that makes the situation a lot worse:

1) The availability of the package post-install hook that can run any command after simply resolving and downloading a package[1].

That, combined with:

2) The culture with using version ranges for dependency resolution[2] means that any compromised package can just spread with ridiculous speed (and then use the post-install hook to compromise other packages). You also have version ranges in the Java ecosystem, but it's not the norm to use in my experience, you get new dependencies when you actively bump the dependencies you are directly using because everything depends on specific versions.

I'm no NPM expert, but that's the worst offenders from a technical perspective, in my opinion.

[1]: I'm sure it can be disabled, and it might even be now by default - I don't know. [2]: Yes, I know you can use a lock file, but it's definitely not the norm to actively consider each upgraded version when refreshing the lockfile.

5 comments

broeng

Reply
hiccuphippo  1 hour ago

Also badly named commands, `npm install` updates your packages to the latest version allowed by package.json and updates the lock file, `npm ci` is what people usually want to do: install the versions according to the lock file.

IMO, `ci` should be `install`, `install` should be `update`.

Plus the install command is reused to add dependencies, that should be a separate command.

silverwind  3 hours ago

> The culture with using version ranges for dependency resolution

Yep, auto-updating dependencies are the main culprit why malware can spread so fast. I strongly recommend the use `save-exact` in npm and only update your dependencies when you actually need to.

  • tedivm  2 hours ago

    This advice leaves you vulnerable to log4j style vulnerabilities that get discovered though.

    The answer is a balance. Use Dependabot to keep dependencies up to date, but configure a dependency cooldown so you don't end up installing anything too new. A seven day cooldown would keep you from being vulnerable to these types of attacks.

    • SAI_Peregrinus  20 minutes ago

      Cooldowns only work if enough people don't use cooldowns (or don't use cooldowns longer than yours) for attacks to get noticed.

Cthulhu_  7 hours ago

To add a few:

* NPM has a culture of "many small dependencies", so there's a very long tail of small projects that are mostly below the radar that wouldn't stand out initially if they get a patch update. People don't look critically into updated versions because there's so many of them.

* Developers have developed a culture of staying up-to-date as much as possible, so any patch release is applied as soon as possible, often automated. This is mainly sold as a security feature, so that a vulnerability gets patched and released before disclosure is done. But it was (is?) also a thing where if you wait too long to update, updating takes more time and effort because things keep breaking.