• Arghblarg@lemmy.ca
    link
    fedilink
    English
    arrow-up
    11
    ·
    5 hours ago

    I don’t know much about NPM (having avoided JS as much as possible for my entire life), but golang seems to have a good solution: ‘vendoring’. One can choose to lock all external dependencies to local snapshots brought into a project, with no automatic updating, but with the option to manually update them when desired.

    • tal@lemmy.today
      link
      fedilink
      English
      arrow-up
      7
      ·
      3 hours ago

      I don’t think that that’s a counter to the specific attack described in the article:

      The malicious packages have names that are similar to legitimate ones for the Puppeteer and Bignum.js code libraries and for various libraries for working with cryptocurrency.

      That’d be a counter if you have some known-good version of a package and are worried about updates containing malicious software.

      But in the described attack, they’re not trying to push malicious software into legitimate packages. They’re hoping that a dev will accidentally use the wrong package (which presumably is malicious from the get-go).

    • orclev@lemmy.world
      link
      fedilink
      English
      arrow-up
      12
      ·
      4 hours ago

      NPM has that as well. In fact most languages and build tools support that. It’s actually rare to not have support for that these days.

      • Arghblarg@lemmy.ca
        link
        fedilink
        English
        arrow-up
        2
        ·
        4 hours ago

        Ah, good. I wonder why it isn’t used more often – this wouldn’t be such a huge problem then I would hope. (Let me guess – ‘convenience’, the archenemy of security.)