| ▲ | efortis 3 days ago |
| Mitigate it with: echo "ignore-scripts=true" >> ~/.npmrc
https://blog.uxtly.com/getting-rid-of-npm-scripts |
|
| ▲ | lrvick 3 days ago | parent | next [-] |
| And then the vulnerable code will just move to shell execs in the main library that fire the next time you include the library in your project. If you do not have time to review a library, then do not use it. |
| |
| ▲ | efortis 2 days ago | parent | next [-] | | I partially agree, but that does mitigate it. The report says the attacker injected a `postinstall` script, which is common. On the other hand, yes, an attack at code level, or a legit bug wouldn't be prevented. | |
| ▲ | singulasar 3 days ago | parent | prev [-] | | I'm so sick of people saying this.
If you use js for any non-tiny project, you'll have a bunch of packages.
Due to how modules work in js, you'll have many, many sub dependencies. Nobody has time to review every package they'll use, especially when not all sub dependencies have fully pinned versions. If you have time to review every package, every time it updates, you might as well just write it yourself. Yes, this is a problem, no reviewing every dependency is not the damn solution | | |
| ▲ | lrvick 2 days ago | parent | next [-] | | I have built and shipped production web applications for many large orgs with millions of users. Used 1-2 libs tops that i reviewed myself. Also now as someone that runs a security consulting firm, we absolutely have clients that review 100% of dependencies even when it is expensive. Both are valid options. Normalized negligence is still negligence. | |
| ▲ | efortis 2 days ago | parent | prev [-] | | Show them this Ken Thompson paper of 1984: "Reflections on Trusting Trust" https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref... And then hardware compromises… I don't mean install anything. I mean, it's not a problem particular to the JS ecosystem. | | |
|
|
|
| ▲ | wrs 3 days ago | parent | prev [-] |
| Some packages have install scripts that actually need to run (e.g., esbuild). pnpm refuses to run install scripts from packages you haven’t manually authorized, which helps a bit. |
| |
| ▲ | lrvick 3 days ago | parent | next [-] | | pnpm cannot be built from source without an existing pnpm binary making it ineligible for inclusion in any reproducible Linux distro, for good reason, as there is no way to rule out a trusting trust attack. Pnpm should be considered for hobby use cases only. | |
| ▲ | efortis 3 days ago | parent | prev [-] | | Yes, at the end of that blog there are two options for that: npm install --ignore-scripts=false package-i-trust
Or, trigger the installation script: node node_modules/puppeteer/install.js
| | |
| ▲ | wrs 3 days ago | parent [-] | | The pnpm version of this is persistent. You approve the package once, and regular install works thereafter. Which is nice. | | |
| ▲ | DemocracyFTW2 3 days ago | parent [-] | | is that permission tied to a specific version with a specific fingerprint/hash? because if it's not then you could still get a surprise come the next update... | | |
| ▲ | wrs 2 days ago | parent [-] | | It is by package name, but at least you won't be surprised when left-pad suddenly has an install script. You can put a fingerprint on the package dependency itself, though, so if you add a fingerprint to anything you approve the install script for, you will get that level of safety. |
|
|
|
|
