by bastawhiz
5 subcomments
- I'm not sure how I missed that npm was acquired by GitHub, but man, a lot of stuff suddenly makes a lot of sense. I really can't think of a worse home for such a critical part of the Node ecosystem.
- postinstall scripts should've been removed long time ago, it's the cancer of NPM packages. There's so many deeply nested, uncontrolled postinstalls that run randomly when you pull something it's insane, I don't know how someone at some point ever though that was a good idea.
- I bet there have been a hundred different discussions about this inside of NPM since it was disclosed 10 years ago. With Shai Halud it's gotten too big to ignore.
- It is not obvious from the post but it seems like the allow list for the scripts supports whitelisting packages instead of a global setting. This should make it easier to maintain org-wise rules to allow scripts only for specific packages.
Is there a linter that could be used for scenarios like this to prevent unsafe default on package manager config?
- Are the current LTS node versions (iirc 22, 24, 26) going to update the bundled npm to v12 to benefit from these security fixes? All come with npm v11 now
by aniceperson
5 subcomments
- didn't know npm was owned by github..
well, that explains things...
- I wonder if there are still reasons to use yarn? Has yarn also implemented safeguards to protect against supply chain attacks? Until now, I only knew about pnpm. It’s great that npm has followed up.
- Looks good? But doesn't this just change the compromise window from first installation to first run?
- Does the allow list in package.json pin to the package version, or only to the package name?
- > allowScripts defaults to off
Nice that they're following pnpm's lead on this after [checks watch]... 18 months?
by ComputerGuru
1 subcomments
- My big question as an OSS dev distributing some precompiled binaries via npm for easy installation: does allowScripts also default to disabled when directly installing a package (globally or otherwise)?
- this release fixes a vulnerability reported 10 years ago
https://www.kb.cert.org/vuls/id/319816
by peterkelly
1 subcomments
- Now all the malware can move from the install script to the module itself where it will inevitably still be run
by chimpanzee2
0 subcomment
- Cool, but I default to pnpm these days anyway.
- Better late than never.
- I would've assumed lockfile-by-default. We're still going with auto-updating?
- They should have added a 1-day age limit by default, so security scanners have some time.
- Eh, that only took a few dozen actively exploited supply-chain vulns in the span of two years!
by thrdbndndn
1 subcomments
- How do you allow scripts for tools installed globally?
- > The resulting allowlist is written to package.json
Couldn’t this effectively result in the same process we get in pre-12 defaults?
by WhyNotHugo
0 subcomment
- > To see what would be blocked, run npm approve-scripts --allow-scripts-pending
This naming is atrocious: the verb is "allow", but this actually _displays_ a list of those unapproved? Was --show-blocked too obvious?
by retardedsecguy
1 subcomments
- npm is basically pnpm now
by jbverschoor
0 subcomment
- And when will we get rid of the vendored node_modules, and make it read only?
- npmjs.org is a joke at this point. I guess their support is run by LLM because you can just write to them and they will transfer ownership of any module nilly willy.
by philipwhiuk
0 subcomment
- > On balance, it’s npm’s belief that the utility of having installation scripts is greater than the risk of worms. This is a tradeoff that we will continue to evaluate.
They chose...poorly
- The "aw geez, enough is enough" release.
Finally.
- I hope GitHub changes their vibecoded badges, what does RETIRED even signify in this context? Why does the preview have to be in ominous red?
- [flagged]
- [dead]
- I don't get it. How does this help with anything? You pull in a dependency to use it, right?
by cookiengineer
5 subcomments
- What a pointless change.
If you force every user to just use "--enable-unsecure-feature", guess what will happen?
This is not about improving security. This is about shifting blame.
A much better alternative would've been the introduction of sandboxes or simulation runs that would output which scripts and programs are running due to unpredictable dependencies. This way the user could check before the actual execution, and maintain an allow list much easier. That could be done via an npm update && npm upgrade workflow where the update generates the list that the user has to manually confirm.
Heck, even a chroot would be an improvement, and they're almost pointless these days, considering how good malware got at escaping chroots.
- There's an easy way to stop most supply chain attacks:
1. Publishing users must approve each and every release from a smartphone app.
2. Publishing users must provide verified government ID.
The first step prevents the types of attacks where an attacker gets control of a maintainer's computer and publishes a new release.
The second step discourages attacks where a user tries to get a malicious package used by others.
When combined with the security features that already exist, e.g. delays and automatic scanning, it would make it considerably harder to pull off a successful attack.
Hacker News