Our great sponsors
-
corepack
Zero-runtime-dependency package acting as bridge between Node projects and their package managers
-
-
SurveyJS
Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
Recently Node 16 LTS cycle started. One month and a few days before the carry-over, a super controversial package titled `coredeps` [0] was officially declared a core module and has been bundled with all official distributions since.
The NodeJS team refuses to discuss NPM because it's a separate 3rd party. And yet.... this NodeJS Core module comes pre-installed as a global NPM package.
We're just getting started.
This module installs or even reinstalls any supported package manager when you execute a script with a name that would match any that they'd recognise. Opt-in for only a short period, and intending to expand beyond package manager installations.
Amidst all that's been going on, NPM (Nonstop Published Moments) is working on a feature that silently hijacks user commands and installs foreign software. The code found in those compromised packages operated in a similar manner and was labeled a critical severity vulnerability.
The following might actually make you cry.
Of these third party remote distributions it's downloading, the number of checksum, keys, or even build configurations that are being verified is 0.
The game that Microsoft is playing with their recent acquisitions here is quite clear, but there's too much collateral damage.
[0] https://github.com/nodejs/corepack#readme
Fortunately there is an option (--ignore-scripts) that prevents all code from running at install time, and there are solutions if specific scripts do need to be run. Such examples are so rare, though, that there is an active proposal to make this option the default.
https://github.com/npm/rfcs/pull/488
Linux distros and Mobile Apps rarely see these issues for one simple reason: packages must all be signed by a vetted maintainer before they are ever submitted and every client has the ability to verify signatures came from approved maintainers who hold the signing keys.
Phishing, bad 2FA, and vulnerabilities of the central repo upload path itself all go away with this simple tactic used by all sane package managers.
Someone PRed this exact same effective strategy to NPM in 2013, and it was refused even as -optional-.
https://github.com/npm/npm/pull/4016#issuecomment-76316744
NPM team members have ignorantly maintained that hashing packages is good enough. They insist on being a central authority for all packages with no method to strongly authenticate authors and this negligence has repeatedly endangered millions.
Meanwhile Debian and other community Linux distros maintain, sign, and distribute hundreds of popular NodeJS packages themselves now because they realize it would be negligent to risk having NPM in their supply chain.