by sebmellen
3 subcomments
- "Here, install my new 1-day old NPM package that doesn't let you install packages younger than 90 days."
Pardon me, I couldn’t help myself :D
by moritzwarhier
2 subcomments
- As someotherguyy already mentioned, this is a default feature in pnpm.
And as far as cat-and-mouse-games go in other package managers, I'd say that pinning dependencies and disabling postinstall scripts is a much better option. Sure, not a foolproof one either, but as good as it gets.
edit: misspelled someotherguyy's user name
- Not controlling transitive deps makes this vastly less useful because direct deps can specify version ranges (e.g. latest minor version). Personally I'd stick with pnpm's feature.
by someothherguyy
0 subcomment
- https://pnpm.io/supply-chain-security
by zelphirkalt
1 subcomments
- This works only if there are some other people, who will use a dependency "too early" to fall victim to some exploit and then notice it, within those 90 days. Imagine, if everyone only used packages older than 90 days. Then we would have no frontrunner to run into the issues before us.
A cooldown time alone is not actually a sufficient solution. What people really need to stop doing, is not properly pinning their versions and checksums, and installing whatever newer version is available. That would cause a problem even, if the date line is moved 90 days into the future for all packages. If however, one only updates versions of dependencies when one consciously makes that choice, there are far fewer points in time, when versions change, and therefore the chance of catching something is also much lower. Combine that with a cooldown time/minimum age for versions, and you got an approach.
by mrconter11
1 subcomments
- But safe-npm is not 90 days old yet.. :/
- How does it differ from: https://docs.npmjs.com/cli/v11/commands/npm-install#before
- Yarn has a configurable npmMinimalAgeGate setting as well since version 4.10: https://yarnpkg.com/configuration/yarnrc#npmMinimalAgeGate
by asdkkthrowaway
2 subcomments
- Doesn't this just mean you're 90 days late on any patches?
- If everybody does that, won't we take 90 days more to detect problems / hacks of npm packages ?
by PunchyHamster
0 subcomment
- Now with 9000% more zero-days!
> Installs the newest "aged" version
Probably want to install version that has CVE-fixed instead, i.e find the cve for packages and install latest version that has all of them fixed but not later.
Technically someone could fake a cve to get people to upgrade but that's a far more involved process
- this is a good idea but i just did this:
alias npm='npm --before="$(date -v-1w +%Y-%m-%d)"'
alias pnpm='pnpm --before="$(date -v-1w +%Y-%m-%d)"'
- the more people use this, the less useful it becomes for everyone. If everyone uses this, then everyone would still be using a particular package for the first time at the same time. What then? Release another package that extends the delay to 6 months?
- Does anyone have any statistics on how long a compromised package has been in the wild on average?
- So how is not using those Debian packages because they are too old working out ? ;-)
- You could dual brand as vibe-npm, only install packages that are in your models training dataset
- With the help of AI, i see no reason to install most deps nowadays besides types and react and mui framework. Everything can be built from scratch quickly.
by aussieguy1234
0 subcomment
- This does mean that security patches released yesterday won't get installed.
Its the opposite of "keep your software up to date"
by waterTanuki
0 subcomment
- Just use pnpm. I've never once had compatibility issues with it on linux/mac/windows over the past 6 years.
by cheesekunator
4 subcomments
- Why does elapsed time mean a library is safe? This is so ridiculous. It doesn't protect you against anything. I'm sure there are 1000s of old libraries out there with hidden vulnerabilities or malicious code.
Hacker News