NPM package ‘ua-parser-JS’ with more than 7M weekly download is compromised

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

Our great sponsors
  • SonarQube - Static code analysis for 29 languages.
  • OPS - Build and Run Open Source Unikernels
  • Scout APM - Less time debugging, more time building
  • goggles.mozilla.org

    Update: This project is no longer maintained and has been archived. See https://foundation.mozilla.org/blog/putting-away-our-x-ray-goggles/ for more information.

    > I don't think it's a matter of me having a narrow perspective, but maybe you could enlighten me.

    I have to think it is, because the "shape" of your responses here have been advice about things that I/we can do to keep my/our own projects (e.g. mission critical, corporate funded) projects rolling, and completely neglected the injured-in-collision-with-other-intoxicated-driver aspect.

    As you can probably expect from previous comments, I _have_ to think that your lack of contact with these problems has something to do with the particulars of your situation and the narrow patterns that your experience falls within. Of the projects that match the criteria, easily 40% of them are the type I described. (And, please, no pawning it off with a response like "must be a bad configuration on your machine"; these are consistent observations over the better (worse) part of a decade across many different systems on different machines. It's endemic, not something that can be explained away with must-be-your-org/must-be-your-installation handwaving.)

    > code rot is more likely [...] My negative OSS experience has mostly been that package owners abandon projects and don't even respond to github issues

    Sure, but the existence of other problems doesn't negate the existence of this class of problems.

    > I wouldn't be in a position to dictate that they should commit node_modules in that case.

    Which is why I mentioned that this needs to be baked in to the culture. As it stands, the culture is to discourage simple, sensible solutions and prefers throwing even more overengineered tooling that creates new problems of its own and only halfway solves a fraction of the original ones. (Why? Probably because NodeJS/NPM programmers seem to associate solutions that look simple as being too easy, too amateurish—probably because of how often other communities shit on JS. So NPMers always favor the option that looks like Real Serious Business because it either approaches the problem by heaping more LOC somewhere or—even better—if it involves tooling that it looks like it must take a Grown Up to operate.)

    > Maybe you could give me an example of the types of projects you're talking about? I'm legitimately curious.

    Sure, I don't even have to reach since as I said this stuff happens constantly. In this case, at the time of writing the comments in question, it was literally the last project I even attempted. Check out the Web X-Ray repo <https://github.com/mozilla/goggles.mozilla.org/>. This is conceptually and architecturally a very simple project, with even simpler engineering requirements, and yet trying to enter the time capsule and resurrect it will bring you to your knees on the zeroeth step of just trying to fetch the requisite packages. That's to say nothing of the (very legitimate) issue involving the expectation that even with a successful completion of `npm install` I'd still generally expect one or more packages for any given project to be broken and in need of being hacked in order to get working again, owing to platform changes. (Several other commenters have brought this up, but, bizarrely, they do so as if it's a retort to the point that I'm making and not as if they're actually helping make my case for me... The messy reasoning involved there is pretty odd.)

  • ua-parser-js

    UAParser.js - Detect Browser, Engine, OS, CPU, and Device type/model from User-Agent data. Supports browser & node.js environment.

    Submitted link is to a reddit thread.

    Better one might be the GitHub issue discussing it: https://github.com/faisalman/ua-parser-js/issues/536

  • SonarQube

    Static code analysis for 29 languages.. Your projects are multi-language. So is SonarQube analysis. Find Bugs, Vulnerabilities, Security Hotspots, and Code Smells so you can release quality code every time. Get started analyzing your projects today for free.

  • rfcs

    Public change requests/proposals & ideation (by npm)

    Worth mentioning: there is an open NPM “audit assertions”[1] RFC which would allow the compromised package to be nested one dependency deeper, and would allow the hijacked ua-parser-JS package to assert that it’s unaffected.

    Should this proposal go through, it’s quite possible this would have gone much further. It would have allowed the attacker to wait for detection, and to silence any propagation of that to users of the otherwise legitimate package.

    I had to bow out of the conversation because I didn’t feel like I could engage it in a healthy way—I’m way too personally affected by my own experience dealing with dismissal of serious security issues—but I think folks here might be interested in it given this compromise.

    1: https://github.com/npm/rfcs/pull/422

  • Semi-related: Microsoft is going to be (or has begun) checking for differences between published npm packages and their source control.

    I got a PR in my repository a few days ago leading back to a team trying to make it easier for packages to be reproducible from source https://github.com/microsoft/Secure-Supply-Chain

  • deno

    A modern runtime for JavaScript and TypeScript.

    Deno (https://deno.land/), another runtime based on v8, has a system similar to Go, with local and remote imports https://deno.land/[email protected]/examples/import_export.

  • pnpm

    Fast, disk space efficient package manager -- 快速的,节省磁盘空间的包管理工具

    >Does npm have a shared cache if you have several projects using the same dependencies?

    pnpm does, that's why I'm using it for everything. It's saving me many gigabytes of precious SSD space.

    https://github.com/pnpm/pnpm

  • handlebars-helpers

    188 handlebars helpers in ~20 categories. Can be used with Assemble, Ghost, YUI, express.js etc.

  • OPS

    OPS - Build and Run Open Source Unikernels. Quickly and easily build and deploy open source unikernels in tens of seconds. Deploy in any language to any cloud.

  • safernode

    Seems like a good time to plug my project https://gitlab.com/mikecardwell/safernode

  • npm-package-repro

    I couldn't find the code, so I just started over. Haven't hosted it anywhere yet.

    https://github.com/connorjclark/npm-package-repro

  • esprima

    ECMAScript parsing infrastructure for multipurpose analysis (by ariya)

    > check out the Web X-Ray repo <https://github.com/mozilla/goggles.mozilla.org/>.

    Thanks for example. Peeking a bit under the hood, it appears to be due to transitive dependencies referencing github urls (and transient ones at that) instead of semver, which admittedly is neither standard nor good practice...

    FWIW, simply removing `"grunt-contrib-jshint": "~0.4.3",` from package.json and related jshint-related code from Gruntfile was sufficient to get `npm install` to complete successfully. The debugging just took me a few minutes grepping package-lock.json for the 404 URL in question (https://github.com/ariya/esprima/tarball/master) and tracing that back to a top-level dependency via recursively grepping for dependent packages. I imagine that upgrading relevant dependencies might also do the trick, seeing as jshint no longer depends on esprima[0].

    I'm not sure how representative this particular case is to the sort of issues you run into, but I'll tell that reproducibility issues can get a lot worse in ways that committing deps doesn't help (for example, issues like this one[1] are nasty to narrow down).

    But assuming that installation in your link just happens to have a simple fix and that others are not as forgiving, how is committing node_modules supposed to help here if you're saying you can't even get it to a working state in the first place? DO you own the repo in order to be able to make the change? Or are you mostly just saying that hindsight is 20-20?

    [0] https://github.com/jshint/jshint/blob/master/package.json#L4...

    [1] https://github.com/node-ffi-napi/node-ffi-napi/issues/143

  • JSHint

    JSHint is a tool that helps to detect errors and potential problems in your JavaScript code

    > check out the Web X-Ray repo <https://github.com/mozilla/goggles.mozilla.org/>.

    Thanks for example. Peeking a bit under the hood, it appears to be due to transitive dependencies referencing github urls (and transient ones at that) instead of semver, which admittedly is neither standard nor good practice...

    FWIW, simply removing `"grunt-contrib-jshint": "~0.4.3",` from package.json and related jshint-related code from Gruntfile was sufficient to get `npm install` to complete successfully. The debugging just took me a few minutes grepping package-lock.json for the 404 URL in question (https://github.com/ariya/esprima/tarball/master) and tracing that back to a top-level dependency via recursively grepping for dependent packages. I imagine that upgrading relevant dependencies might also do the trick, seeing as jshint no longer depends on esprima[0].

    I'm not sure how representative this particular case is to the sort of issues you run into, but I'll tell that reproducibility issues can get a lot worse in ways that committing deps doesn't help (for example, issues like this one[1] are nasty to narrow down).

    But assuming that installation in your link just happens to have a simple fix and that others are not as forgiving, how is committing node_modules supposed to help here if you're saying you can't even get it to a working state in the first place? DO you own the repo in order to be able to make the change? Or are you mostly just saying that hindsight is 20-20?

    [0] https://github.com/jshint/jshint/blob/master/package.json#L4...

    [1] https://github.com/node-ffi-napi/node-ffi-napi/issues/143

  • node-ffi-napi

    A foreign function interface (FFI) for Node.js, N-API style

    > check out the Web X-Ray repo <https://github.com/mozilla/goggles.mozilla.org/>.

    Thanks for example. Peeking a bit under the hood, it appears to be due to transitive dependencies referencing github urls (and transient ones at that) instead of semver, which admittedly is neither standard nor good practice...

    FWIW, simply removing `"grunt-contrib-jshint": "~0.4.3",` from package.json and related jshint-related code from Gruntfile was sufficient to get `npm install` to complete successfully. The debugging just took me a few minutes grepping package-lock.json for the 404 URL in question (https://github.com/ariya/esprima/tarball/master) and tracing that back to a top-level dependency via recursively grepping for dependent packages. I imagine that upgrading relevant dependencies might also do the trick, seeing as jshint no longer depends on esprima[0].

    I'm not sure how representative this particular case is to the sort of issues you run into, but I'll tell that reproducibility issues can get a lot worse in ways that committing deps doesn't help (for example, issues like this one[1] are nasty to narrow down).

    But assuming that installation in your link just happens to have a simple fix and that others are not as forgiving, how is committing node_modules supposed to help here if you're saying you can't even get it to a working state in the first place? DO you own the repo in order to be able to make the change? Or are you mostly just saying that hindsight is 20-20?

    [0] https://github.com/jshint/jshint/blob/master/package.json#L4...

    [1] https://github.com/node-ffi-napi/node-ffi-napi/issues/143

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts