JavaScript

2716 readers

4 users here now

founded 2 years ago

MODERATORS

erlingur@programming.dev

Ategon@programming.dev

nick@programming.dev

npm's Defaults Are Bad (nesbitt.io)

submitted 4 weeks ago by codeinabox@programming.dev to c/javascript@programming.dev

2 comments fedilink hide all child comments

Yesterday the axios package was compromised on npm. An attacker hijacked a maintainer account, published two malicious versions that bundled a remote access trojan through a staged dependency called plain-crypto-js, and the versions were live for two to three hours before npm pulled them. Axios gets 83 million weekly downloads. This keeps happening over and over and over and the post-incident conversation always goes the same way: was the maintainer using MFA, should the registry have caught it faster, should people be running more scanners. None of that gets at why JavaScript keeps having these incidents at a rate no other ecosystem comes close to matching. The npm client’s defaults actively enable the attacks and have done for years.

top 2 comments

sorted by: hot top controversial new old

[–] LodeMike@lemmy.today 0 points 4 weeks ago (1 children)

npm is bad

[–] codeinabox@programming.dev 0 points 4 weeks ago

It's definitely got the worst defaults compared to the alternatives.

pnpm, Bun, and Deno have all made better choices about their defaults. pnpm blocks postinstall scripts, Bun requires explicit opt-in for them, Deno’s permission model is restrictive by design.