Our great sponsors
-
goggles.mozilla.org
Discontinued Update: This project is no longer maintained and has been archived. See https://foundation.mozilla.org/blog/putting-away-our-x-ray-goggles/ for more information.
-
ua-parser-js
UAParser.js - Free & open-source JavaScript library to detect user's Browser, Engine, OS, CPU, and Device type/model. Runs either in browser (client-side) or node.js (server-side).
-
SurveyJS
Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
-
-
-
-
-
handlebars-helpers
188 handlebars helpers in ~20 categories. Can be used with Assemble, Ghost, YUI, express.js etc.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
-
> I don't think it's a matter of me having a narrow perspective, but maybe you could enlighten me.
I have to think it is, because the "shape" of your responses here have been advice about things that I/we can do to keep my/our own projects (e.g. mission critical, corporate funded) projects rolling, and completely neglected the injured-in-collision-with-other-intoxicated-driver aspect.
As you can probably expect from previous comments, I _have_ to think that your lack of contact with these problems has something to do with the particulars of your situation and the narrow patterns that your experience falls within. Of the projects that match the criteria, easily 40% of them are the type I described. (And, please, no pawning it off with a response like "must be a bad configuration on your machine"; these are consistent observations over the better (worse) part of a decade across many different systems on different machines. It's endemic, not something that can be explained away with must-be-your-org/must-be-your-installation handwaving.)
> code rot is more likely [...] My negative OSS experience has mostly been that package owners abandon projects and don't even respond to github issues
Sure, but the existence of other problems doesn't negate the existence of this class of problems.
> I wouldn't be in a position to dictate that they should commit node_modules in that case.
Which is why I mentioned that this needs to be baked in to the culture. As it stands, the culture is to discourage simple, sensible solutions and prefers throwing even more overengineered tooling that creates new problems of its own and only halfway solves a fraction of the original ones. (Why? Probably because NodeJS/NPM programmers seem to associate solutions that look simple as being too easy, too amateurish—probably because of how often other communities shit on JS. So NPMers always favor the option that looks like Real Serious Business because it either approaches the problem by heaping more LOC somewhere or—even better—if it involves tooling that it looks like it must take a Grown Up to operate.)
> Maybe you could give me an example of the types of projects you're talking about? I'm legitimately curious.
Sure, I don't even have to reach since as I said this stuff happens constantly. In this case, at the time of writing the comments in question, it was literally the last project I even attempted. Check out the Web X-Ray repo <https://github.com/mozilla/goggles.mozilla.org/>. This is conceptually and architecturally a very simple project, with even simpler engineering requirements, and yet trying to enter the time capsule and resurrect it will bring you to your knees on the zeroeth step of just trying to fetch the requisite packages. That's to say nothing of the (very legitimate) issue involving the expectation that even with a successful completion of `npm install` I'd still generally expect one or more packages for any given project to be broken and in need of being hacked in order to get working again, owing to platform changes. (Several other commenters have brought this up, but, bizarrely, they do so as if it's a retort to the point that I'm making and not as if they're actually helping make my case for me... The messy reasoning involved there is pretty odd.)
Submitted link is to a reddit thread.
Better one might be the GitHub issue discussing it: https://github.com/faisalman/ua-parser-js/issues/536
Worth mentioning: there is an open NPM “audit assertions”[1] RFC which would allow the compromised package to be nested one dependency deeper, and would allow the hijacked ua-parser-JS package to assert that it’s unaffected.
Should this proposal go through, it’s quite possible this would have gone much further. It would have allowed the attacker to wait for detection, and to silence any propagation of that to users of the otherwise legitimate package.
I had to bow out of the conversation because I didn’t feel like I could engage it in a healthy way—I’m way too personally affected by my own experience dealing with dismissal of serious security issues—but I think folks here might be interested in it given this compromise.
1: https://github.com/npm/rfcs/pull/422
Semi-related: Microsoft is going to be (or has begun) checking for differences between published npm packages and their source control.
I got a PR in my repository a few days ago leading back to a team trying to make it easier for packages to be reproducible from source https://github.com/microsoft/Secure-Supply-Chain
Deno (https://deno.land/), another runtime based on v8, has a system similar to Go, with local and remote imports https://deno.land/[email protected]/examples/import_export.
>Does npm have a shared cache if you have several projects using the same dependencies?
pnpm does, that's why I'm using it for everything. It's saving me many gigabytes of precious SSD space.
https://github.com/pnpm/pnpm
Seems like a good time to plug my project https://gitlab.com/mikecardwell/safernode
I couldn't find the code, so I just started over. Haven't hosted it anywhere yet.
https://github.com/connorjclark/npm-package-repro
> check out the Web X-Ray repo <https://github.com/mozilla/goggles.mozilla.org/>.
Thanks for example. Peeking a bit under the hood, it appears to be due to transitive dependencies referencing github urls (and transient ones at that) instead of semver, which admittedly is neither standard nor good practice...
FWIW, simply removing `"grunt-contrib-jshint": "~0.4.3",` from package.json and related jshint-related code from Gruntfile was sufficient to get `npm install` to complete successfully. The debugging just took me a few minutes grepping package-lock.json for the 404 URL in question (https://github.com/ariya/esprima/tarball/master) and tracing that back to a top-level dependency via recursively grepping for dependent packages. I imagine that upgrading relevant dependencies might also do the trick, seeing as jshint no longer depends on esprima[0].
I'm not sure how representative this particular case is to the sort of issues you run into, but I'll tell that reproducibility issues can get a lot worse in ways that committing deps doesn't help (for example, issues like this one[1] are nasty to narrow down).
But assuming that installation in your link just happens to have a simple fix and that others are not as forgiving, how is committing node_modules supposed to help here if you're saying you can't even get it to a working state in the first place? DO you own the repo in order to be able to make the change? Or are you mostly just saying that hindsight is 20-20?
[0] https://github.com/jshint/jshint/blob/master/package.json#L4...
[1] https://github.com/node-ffi-napi/node-ffi-napi/issues/143
> check out the Web X-Ray repo <https://github.com/mozilla/goggles.mozilla.org/>.
Thanks for example. Peeking a bit under the hood, it appears to be due to transitive dependencies referencing github urls (and transient ones at that) instead of semver, which admittedly is neither standard nor good practice...
FWIW, simply removing `"grunt-contrib-jshint": "~0.4.3",` from package.json and related jshint-related code from Gruntfile was sufficient to get `npm install` to complete successfully. The debugging just took me a few minutes grepping package-lock.json for the 404 URL in question (https://github.com/ariya/esprima/tarball/master) and tracing that back to a top-level dependency via recursively grepping for dependent packages. I imagine that upgrading relevant dependencies might also do the trick, seeing as jshint no longer depends on esprima[0].
I'm not sure how representative this particular case is to the sort of issues you run into, but I'll tell that reproducibility issues can get a lot worse in ways that committing deps doesn't help (for example, issues like this one[1] are nasty to narrow down).
But assuming that installation in your link just happens to have a simple fix and that others are not as forgiving, how is committing node_modules supposed to help here if you're saying you can't even get it to a working state in the first place? DO you own the repo in order to be able to make the change? Or are you mostly just saying that hindsight is 20-20?
[0] https://github.com/jshint/jshint/blob/master/package.json#L4...
[1] https://github.com/node-ffi-napi/node-ffi-napi/issues/143
> check out the Web X-Ray repo <https://github.com/mozilla/goggles.mozilla.org/>.
Thanks for example. Peeking a bit under the hood, it appears to be due to transitive dependencies referencing github urls (and transient ones at that) instead of semver, which admittedly is neither standard nor good practice...
FWIW, simply removing `"grunt-contrib-jshint": "~0.4.3",` from package.json and related jshint-related code from Gruntfile was sufficient to get `npm install` to complete successfully. The debugging just took me a few minutes grepping package-lock.json for the 404 URL in question (https://github.com/ariya/esprima/tarball/master) and tracing that back to a top-level dependency via recursively grepping for dependent packages. I imagine that upgrading relevant dependencies might also do the trick, seeing as jshint no longer depends on esprima[0].
I'm not sure how representative this particular case is to the sort of issues you run into, but I'll tell that reproducibility issues can get a lot worse in ways that committing deps doesn't help (for example, issues like this one[1] are nasty to narrow down).
But assuming that installation in your link just happens to have a simple fix and that others are not as forgiving, how is committing node_modules supposed to help here if you're saying you can't even get it to a working state in the first place? DO you own the repo in order to be able to make the change? Or are you mostly just saying that hindsight is 20-20?
[0] https://github.com/jshint/jshint/blob/master/package.json#L4...
[1] https://github.com/node-ffi-napi/node-ffi-napi/issues/143