| ▲ | gchamonlive 4 hours ago |
| We've seen many reports of supply chain attacks affecting NPM. Are these symptoms of operational complexity, which can affect any such service, or is there something fundamentally wrong with NPM? |
|
| ▲ | hannob 4 hours ago | parent | next [-] |
| It's actually relatively simple. Adding dependencies comes with advantages and downsides. You need to strike a balance between them. External libraries can help implement things that you better don't implement yourself, so the answer is certainly not "no dependencies". But there are downsides and risks, and the risks grow with the number of dependencies. In the world of NPM, people think those simple truths don't apply to them and the downsides and risks of dependencies can be ignored. Then you end up with thousands of transitive dependencies. They're wrong and learn it the hard way now. |
|
| ▲ | palmfacehn 4 hours ago | parent | prev | next [-] |
| Apparently Maven has 61.9M indexed packages. As Java has a decent standard lib, mini libs like leftpad are not contributing to this count. NPM has 3.1M packages. Many are trivially simple. Those stats would suggest that NPM has disproportionately more issues than other services. I would argue that is only one of the many issues with the JS/TS/NPM ecosystem. Many of the other problems have been normalized. The constant security issues are highly visible. |
| |
| ▲ | jsiepkes 4 hours ago | parent | next [-] | | > Apparently Maven has 61.9M indexed packages. Where did you see that number? Maven central says it has about 18 million [1] packages. Maybe with all versions of those 18 million packages there are about 62 million artifacts? While the Java ecosystem is vastly larger, in Java (with Maven, Gradle, Bazel, etc.) it is not common to use really small libraries. So you end up with vastly less transitive dependencies in your projects. [1] https://mvnrepository.com/repos/central | | | |
| ▲ | eastbound 4 hours ago | parent | prev [-] | | On Maven, I restrict packages to Spring and Apache. As opposed to NPM, where even big vendors can depend on hundreds of small ones. | | |
| ▲ | skydhash 4 hours ago | parent [-] | | This. You would expect some of the mature packages to be quite diligent about dependencies, but they are the one pulling random stuff for a minor feature. then the transitive dependencies adds like GBs of files to your project. |
|
|
|
| ▲ | Intermernet 4 hours ago | parent | prev | next [-] |
| Just spit-balling here, but it seems that the problem is with the pushing to NPM, and distribution from NPM, rather than the concept of NPM. If NPM required some form of cryptographically secure author signing, and didn't distribute un-signed packages, then there is at least a chain of responsibility that can be followed. |
|
| ▲ | karel-3d 3 hours ago | parent | prev | next [-] |
| There is a guy (ljharb) who is literally on TC39 - JavaScript specification committee - who is maintaining like 600 packages full of polyfills/dependencies/utilities. It's just javascript being javascript. |
| |
| ▲ | Sammi 3 hours ago | parent | next [-] | | There was a huge uproar about that guy specifically and deep dependency graphs in general a year ago. A lot has already changed for lots of the popular frameworks and libraries. Dependency graphs are already much slimmer. The cultural change is happening, but we can't expect it to happen all at once. | |
| ▲ | bapak an hour ago | parent | prev | next [-] | | Irrelevant here. You use eslint-plugin-import with its 60 dependencies; One dependency or 60 is irrelevant because you only need one token: his. They're all his packages. The problem with that guy is that the dependencies are useless to everyone except his ego. | |
| ▲ | imtringued an hour ago | parent | prev [-] | | That wouldn't be a problem if there was proper package signing and the polyfill packages were hosted under a package namespace owned by the javascript specification committee. |
|
|
| ▲ | liveoneggs 4 hours ago | parent | prev | next [-] |
| It's the entire blase nature of js development in general. |
|
| ▲ | 4 hours ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | koakuma-chan 4 hours ago | parent | prev | next [-] |
| > is there something fundamentally wrong with NPM? Its users don't check who the email is from |
|
| ▲ | dist-epoch 4 hours ago | parent | prev | next [-] |
| It's just where the users and the juicy targets are. NPM packages are used by huge Electron apps like Discord, Slack, VS Code, the holy grail would be to somehow slip something inside them. |
| |
| ▲ | LeifCarrotson 3 hours ago | parent | next [-] | | It's both that and a culture of installing a myriad of constantly-updating, tiny libraries to do basic utility functions. (Not even libraries, they're more like individual pages in individual books). In our line-of-business .NET app, we have a logger, a database, a unit tester, and a driver for some specialty hardware. We upgrade to the latest version of each external dependency about once per year (every major version) to avoid accruing tech debt. They're all pinned and locally hosted, nuget exists but we (like most .Net developers) don't use it to the extent that npm devs do. We read the changelogs - all four of them! - and manually update. I understand that the NPM ecosystem works differently from a "batteries included" .Net environment for a desktop app, but it's not just about where the users are. Line of business code in .Net and Java apps process a lot of important data. Slipping a malicious package into pypi could expose all kinds of juicy, proprietary data, but again, it's less about the existence of a package manager and more about when and how you use it. | | | |
| ▲ | guidedlight 4 hours ago | parent | prev | next [-] | | We don't see these attacks nearly as severe or frequent on Maven, which is a much older package management solution. Maven users would be far more attractive targets given corporates extensively run Java. | | |
| ▲ | mr_toad 4 hours ago | parent [-] | | Number of packages doesn’t mean much. If you can get your code into just one Javascript package you could have it run on billions of browsers. With Java it’s hard to get the same distribution (although the log4j vulnerability shows it’s not entirely impossible). |
| |
| ▲ | ehnto 4 hours ago | parent | prev | next [-] | | It is also, in my humble but informed opinion, where you will find the least security concious programs, just because of the breadth of it's use and myriad of deployments. It's the new pragmatic choice for web apps and so it's everyone is using it, from battle hardened teams to total noobs to people who just don't give a shit. It reminds me of Wordpress from 10 years ago, when it was the goto platform for cheap new websites. | |
| ▲ | anthk 4 hours ago | parent | prev | next [-] | | Every NPM turd should be run with bubblewrap or a similar sandbox toolkit at least. | |
| ▲ | gchamonlive 3 hours ago | parent | prev [-] | | So do you expect other supply chain services that also supply juicy targets to be affected? I mean, we live in a bubble here in HN, so not seeing something in the front page doesn't mean it doesn't exist or it doesn't happen, but the feeling is that NPM is particularly more vulnerable than other services, correct me if I'm wrong. |
|
|
| ▲ | DimmieMan 4 hours ago | parent | prev [-] |
| NPM isn’t perfect but no, it’s fundamentally self inflicted. Community is very happy to pick up helper libraries and by the time you get all the way up the tree in a react framework you have hundreds or even thousands of packages. If you’re sensible you can be fine just like any other ecosystem, but limited because one wrong package and you’ve just ballooned your dependency tree by hundreds which lowers the value of the ecosystem. Node doesn’t have a standard library and until recently not even a test runner which certainly doesn’t help. If your sensible with node or Deno* you’ll somewhat insulated from all this nonsense. *Deno has linting,formatting,testing & a standard library which is a massive help (and a permission system so packages can’t do whatever they want) |
