Comment by rvz
1 day ago
Once again, it is in the NPM ecosystem. OneCLI [0] does not save you either. Happens less with languages that have better standard libraries such as Go.
If you see any package that has hundreds of libraries, that increases the risk of a supply chain attack.
A password manager does not need a CLI tool.
> A password manager does not need a CLI tool.
A password manager absolutely does need a CLI tool??
> A password manager does not need a CLI tool.
Why not? Even macos keychain supports cli.
The above comment is just a bunch of generalizations not meant to address seriously that's why.
So the comparison here is that you would rather trust a password manager with a CLI that imports hundreds of third-party dependencies over a first party password manager with a CLI that comes with the OS?
I don't think macOS Keychain uses NPM and it isn't in TypeScript or Javascript and, yes it does not need a CLI either.
The NPM and Java/Typescript ecosystem is part of the problem that encourages developers to import hundreds of third-party libraries, due to its weak standard library which it takes at least ONE transitive dependency to be compromised and it is game over.
4 replies →
I guess anyone/anything using a non-graphical interface should just not use a password manager for some reason?
Not to mention that a graphical application is just as vulnerable to supply chain attacks.
I seems like we need better standard libraries, but standard libraries turn into tarpits. I sort of like the way python's stdlib works.
Yeah Im going to have to agree with this
> A password manager does not need a CLI tool.
That's a wild statement. The CLI is just another UI.
The problem in this case is JS and the NPM ecosystem. Go would be an improvement, but complexity is the enemy of security. Something like (pass)age is my preference for storing sensitive data.