| ▲ | tarruda 4 hours ago |
| AFAICT, the only thing this attack relies on, is the lack of scrutiny by developers when adding new dependencies. Unless this lack of scrutiny is exclusive to JavaScript ecosystem, then this attack could just as well have happened in Rust or Golang. |
|
| ▲ | coldpie 4 hours ago | parent | next [-] |
| I don't know Go, but Rust absolutely has the same problem, yes. So does Python. NPM is being discussed here, because it is the topic of the article, but the issue is the ease with which you can pull in unvetted dependencies. Languages without package managers have a lot more friction to pull in dependencies. You usually rely on the operating system and its package-manager-humans to provide your dependencies; or on primitive OSes like Windows or macOS, you package the dependencies with your application, which involves integrating them into your build and distribution systems. Both of those involve a lot of manual, human effort, which reduces the total number of dependencies (attack points), and makes supply-chain issues like this more likely to be noticed. The language package managers make it trivial to pull in dozens or hundreds of dependencies, straight from some random source code repository. Your dependencies can add their own dependencies, without you ever knowing. When you have dozens or hundreds of unvetted dependencies, it becomes trivial for an attacker to inject code they control into just one of those dependencies, and then it's game over for every project that includes that one dependency anywhere in their chain. It's not impossible to do that in the OS-provided or self-managed dependency scenario, but it's much more difficult and will have a much narrower impact. |
| |
| ▲ | skydhash 2 hours ago | parent [-] | | If you try installing npm itself on debian, you would think you are downloading some desktop environment. So many little packages. |
|
|
| ▲ | 4 hours ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | tomjen3 an hour ago | parent | prev | next [-] |
| That, and the ability to push an update without human interaction. |
|
| ▲ | hsbauauvhabzb 4 hours ago | parent | prev [-] |
| JavaScript does have some pretty insane dependency trees. Most other languages don’t have anywhere near that level of nestedness. |
| |
| ▲ | staminade 3 hours ago | parent | next [-] | | Don't they? I just went to crates.io and picked a random newly updated crate, which happened to be pixelfix, which fixes transparent pixels in pngs. It has six dependencies and hundreds of transient dependencies, may of which appear to be small and highly specific a la left-pad. https://crates.io/crates/pixelfix/0.1.1/dependencies Maybe this package isn't representative, but it feels pretty identical to the JS ecosystem. | | |
| ▲ | koakuma-chan 3 hours ago | parent [-] | | It depends on `image` which in turn depends on a number of crates to handle different file types. If you disable all `image` features, it only has like 5 dependencies left. | | |
| ▲ | staminade 3 hours ago | parent [-] | | And all those 5 remaining dependencies have lots of dependencies of their own. What's your point? | | |
| ▲ | koakuma-chan 3 hours ago | parent [-] | | > What's your point? Just defending Rust. > 5 remaining dependencies have lots of dependencies of their own. Mostly well-known crates like rayon, crossbeam, tracing, etc. | | |
| ▲ | johnisgood 2 hours ago | parent [-] | | You cannot defend Rust if this is reality. Any Rust project I have ever compiled pulled in over 1000 dependencies. Recently it was Zed with its >2000 dependencies. | | |
|
|
|
| |
| ▲ | cxr 3 hours ago | parent | prev | next [-] | | It's not possible for a language to have an insane dependency tree. That's an attribute of a codebase. | | |
| ▲ | orbital-decay an hour ago | parent | next [-] | | Modern programming languages don't exist in a vacuum, they are tied to the existing codebase and libraries. | |
| ▲ | WD-42 2 hours ago | parent | prev [-] | | Maybe the language should have a standard library then. | | |
| ▲ | skydhash 2 hours ago | parent [-] | | C library is smaller than Node.js (you won’t have HTTP). What C have is much more respectable libraries. If you add libcurl or freetype to your project, it won’t pull the whole jungle with them. | | |
| ▲ | int_19h 41 minutes ago | parent [-] | | What C doesn't have is an agreed-upon standard package manager. Which means that any dependency - including transitive ones! - requires some effort on behalf of the developer to add to the build. And that, in turn, puts pressure on library authors to avoid dependencies other than a few well-established libraries (like libpng or GLib), |
|
|
| |
| ▲ | rixed 3 hours ago | parent | prev | next [-] | | This makes little sense. Any popular language with a lax package management culture will have the exact same issue, this has nothing to do with JS itself.
I'm actually doing JS quasi exclusively these days, but with a completely different tool chain, and feel totally unconcerned by any of these bi-weekly NPM scandals. | |
| ▲ | BrouteMinou 2 hours ago | parent | prev [-] | | Rust is working on that. It's not far behind right now, leave it a couple of years. |
|
