Comment by HighGoldstein

2 days ago

Mitigate? Stop using random packages. Prevent? Stop using NPM and similar package ecosystems altogether.

15 comments

HighGoldstein

Reply
cromka  2 days ago

That package wasn't any more random than any other NodeJS package. NPM isn't inherently different from, say, Debian repositories, except the latter have oversight and stewardship and scrutiny.

That's what's needed and I am seriously surprised NPM is trusted like it is. And I am seriously surprised developers aren't afraid of being sued for shipping malware to people.

  • bigfatkitten  2 days ago

    > NPM isn't inherently different from, say, Debian repositories, except the latter have oversight and stewardship and scrutiny.

    Which when compared to NPM, which has no meaningful controls of any sort, is an enormous difference.

  • throw-12-16  2 days ago

    "NPM isn't inherently different from, say, Debian repositories, except the latter have oversight and stewardship and scrutiny"

    Yeah thats the entire point.

metaltyphoon  2 days ago

> and similar package ecosystems altogether

Realistically, this is impossible.

  • array_key_first  2 days ago

    It's really, really not. Just write the libraries yourself. Have a team or two who does that stuff.

    And, if you do need a lib because it's too much work, like maybe you have to parse some obscure language, just vendor the package. Read it, test it, make sure it works, and then pin the version. Realistically, you should only have a few dozens packages like this.

  • baq  2 days ago

    at some point having LLMs spit out libraries for you might be safer than actually downloading them.

    • morshu9001  2 days ago

      This does help. Even before, I was pretty careful about what I used, not just for security but also simplicity. Nowadays it's even easier to LLM-generate utils that one might've installed a dep for in the past.