NPM Vulnerability Discussion on Twitter

This page summarizes the projects mentioned and recommended in the original post on

Our great sponsors
  • Appwrite - The Open Source Firebase alternative introduces iOS support
  • Klotho - AWS Cloud-aware infrastructure-from-code toolbox [NEW]
  • Sonar - Write Clean JavaScript Code. Always.
  • InfluxDB - Access the most powerful time series database as a service
  • npm

    I checked the password-reset flows for most major NPM contributors that use regular webmail accounts like Gmail too.

    < 10% had useful 2FA enabled. Most were just password reset questions or had a backup email to some old expired and re-registerable forgotten earthlink accounts etc.

    I do this stuff all the time.

    The solution is what all sane OS package managers do: code signing.

    NPM has rejected this at least as far back as 2013 when they rejected a PR by someone that implemented it for them:

    I don't know what else to do but keep publicly trolling them at this point. Unsigned code is a free pass for remote code execution when an account gets taken over.

    Meanwhile Debian maintains hundreds of signed nodejs packages. It is very doable. NPM seems to just want to reduce deveopler friction at all costs.

  • discussions

    Soliciting ideas and feedback for community driven collaborative projects that help Node. (by node-forward)

    The question in that thread, and this later thread,[1] is how to know which keys are valid to sign a package.

    For example: I go to release a new version and I've lost my private key, so I roll a new one -- this will happen often across npm's 1.3 million packages. Do I then ... log in with my email and update the private key on my account and go about my business? What process does npm use to make sure my new key is valid? Can a person with control over my email address fake that process? How are key rotations communicated to people updating packages -- as an almost-always-false-positive red flag, or not at all, or some useful amount in between? If you don't get this part of the design right -- and no one suggests how to in those threads -- then you're just doing hashes with worse UX. And the more you look at it, the more you might start to think (as the npm devs seem to) that npm account security is the linchpin of the whole thing rather than signing.

    It's not just npm; that thread includes a PyPI core dev chipping in with the same view: "Lots of language repositories have implemented (a) [signing] and punted on (b) and (c) [some way to know which keys to trust] and essentially gained nothing. It's my belief that if npm does (a) without a solution for (b) and (c) they'll have gained nothing as well." It also has a link from a Homebrew issue thread deciding not to do signatures for the same reason -- they'd convey a false expectation without a solution for key verification.[2]


  • Appwrite

    Appwrite - The Open Source Firebase alternative introduces iOS support . Appwrite is an open source backend server that helps you build native iOS applications much faster with realtime APIs for authentication, databases, files storage, cloud functions and much more!

  • HomeBrew

    🍺 The missing package manager for macOS (or Linux)

  • isnan

    Test whether value is NaN

  • rfcs

    RubyGems + Bundler RFCs (by rubygems)

    > < 10% had useful 2FA enabled.

    I expect this to change. NPM will roll out mandatory MFA for the most-downloaded packages[0] (RubyGems as well[1]). I expect this will rise to a 100% requirement at some point because Github's decision to require MFA by the end of 2023 will massively raise the waterline of folks who have the capability to MFA and experience with MFA.



  • enquirer

    Stylish, intuitive and user-friendly prompts, for Node.js. Used by eslint, webpack, yarn, pm2, pnpm, RedwoodJS, FactorJS, salesforce, Cypress, Google Lighthouse, Generate, tencent cloudbase, lint-staged, gluegun, hygen, hardhat, AWS Amplify, GitHub Actions Toolkit, @airbnb/nimbus, and many others! Please follow Enquirer's author:

    > I don't fully understand why packages like this are so popular.

    It actually works like this: Author X develops `iseven`, `isodd`, etc. No one really downloads such packages. Author X then develops `importantPackage` which does do something useful developers out here download. Now `iseven`, `isodd` are downloaded alongside `importantPackage`.

    My point is, we should recognize certain NPM authors as toxic, but I guess "freedom of speech/code" stops us from doing so. Example of such an author:

  • Babel (Formerly 6to5)

    🐠 Babel is a compiler for writing next generation JavaScript.

    The reason it doesn't get called out is because the philosophy of "thousands of small packages" has spread far and wide. [1]

    For every person calling it out like we're doing here, there are ten others praising maintainers able to whip ten semi-useless packages per week.

    It's not just random maintainers making small packages. The core infrastructure of Javascript is in it. Babel is made of hundreds of packages, which all live on the same repository (because of course the maintainers don't want the hassle of maintaining multiple things). Some of those packages don't even have anything of importance in it, just metadata, a couple flags and some boilerplate [2]. The package is just a way of organizing code. Webpack, ESLint and others aren't exactly better.

    The reason people do it is because other popular people have been doing it for a long time, and nobody calls them out on it.



  • Klotho

    AWS Cloud-aware infrastructure-from-code toolbox [NEW]. Build cloud backends with Infrastructure-from-Code (IfC), a revolutionary technique for generating and updating cloud infrastructure. Try IfC with AWS and Klotho now (Now open-source)

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts