Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
gleenn 6 hours ago

Friends don't let friends use NPM. At this point it is so wildly crazy watching people get owned, I don't understand how anyone uses it when they could use e.g. PNMPM and block one if the most obvious and frequently exploited holes. These tools with arbitrary code execution when trying to download some code have got to stop.

Edit: typos

afpx 5 hours ago | parent | next [-]

Github / Microsoft could easily fix this, couldn't they? Leaving NPM up in its current state seems criminal, especially since LLMs generate NPM commands so frequently.

jjice 5 hours ago | parent | next [-]

They have some changes here in v12: https://github.blog/changelog/2026-06-09-upcoming-breaking-c...

ashishb 2 minutes ago | parent | next [-]

Won't help.

You will still run 'npm run ...' which will have the full access to your disk unless you run it in a sandbox

https://github.com/ashishb/amazing-sandbox

WalterGR 2 hours ago | parent | prev [-]

And the discussion here, with 215 comments: https://news.ycombinator.com/item?id=48467705

sheept 4 hours ago | parent | prev | next [-]

Is it possible to fix it in a backwards compatible way? Removing lifecycle scripts is at least a semver major change, and would complicate existing projects relying on packages with lifecycle scripts from upgrading.

evilduck 2 hours ago | parent [-]

This is a real world trolley problem scenario. You can break workflows or you can let everyone get pwned by supply chain attacks. Which is the greater harm?

sheept 2 hours ago | parent [-]

People will not adopt a safer version if it broke their workflows. Adoption is part of preventing supply chain attacks.

2 hours ago | parent | prev [-]
[deleted]
winddude 5 hours ago | parent | prev | next [-]

> Friends don't let friends ise NPM

or linkedin

jzig 5 hours ago | parent [-]

I don't have friends, therefore I must use LinkedIn to get a job. Hooray!

nijave 3 hours ago | parent | prev | next [-]

>These tools with arbitrary code execution when trying to download some code have got to stop

But you still end up with the code on your machine and risk it being ran.

Bigger issue is giant, inscrutible dependency trees.

In this example, if they tried to run the test suite or application, they'd have been in the same boat.

Afaik all or most languages have some way to run arbitrary code at install time but it seems node is the main one getting targeted. I think the bigger issue here is just people running untrusted things.

ashishb 2 minutes ago | parent [-]

Exactly

Run everything inside isolated sandboxes is the only way out.

https://github.com/ashishb/amazing-sandbox

0x20cowboy 3 hours ago | parent | prev | next [-]

I agree, but I’d extend that to any language using a package manager at this point. “A little copying is better than a little dependency” even more correct now.

All my current projects have all the code needed in the repo (unless impossible, and aside from a compiler which I guess could also be compromised)

schrodinger 2 hours ago | parent [-]

IYKYK

5 hours ago | parent | prev [-]
[deleted]