top | item 45767585

(no title)

ab_testing | 4 months ago

Given the recent npm attacks, is it even safe to develop using npm. Whenever I start a react project, it downloads hundreds of additional packages which I have mo idea about what they do. As a developer who has learnt programming as a hobby, is it better to stick to some other safe ways to develop front end like thyme leaf or plain js or something else.

When I build backend in flask or Django, I specifically type the python packages that I need. But front end development seems like a Pandora box of vulnerabilities

discuss

silverwind|4 months ago

All package ecosystems that allow unvetted code being published are affected, it just happens that npm is by far the most popular one, so it gets all the news.

socalgal2|4 months ago

It's no different anywhere else. I just downloaded jj (rust), it installed 470+ packages

When I downloaded wan2gp (python) it installed it install 211 packages.

brabel|4 months ago

Oh man you pick the one other language that followed the JavaScript model?! How about C, Java, Go, Lisp, C#, C++, D… and new ones like Odin that are explicitly against package managers for this very reason.

klabb3|4 months ago

> It's no different anywhere else.

But it is. Both C/C++ and Go are not at all like this.

I don’t know about Python but Rust ecosystem tends attract enthusiasts who make good single purpose packages but that are abandoned because maintainers move on, or sometimes forked due to minor disagreements similar to how Linux/unix is fragmented with tribal feuds.

BrouteMinou|4 months ago

M'yea, good luck finding such occurrence with NuGet or Maven for example. I would rephrase your "anywhere else".

NPM is a terrible ecosystem, and trying to defend its current state is a lost cause. The energy should be focused on how to fix that ecosystem instead of playing dumb telling people "it's all ok, look at other, also poorly designed, systems".

Don't forget that Rust's Cargo got heavily inspired by NPM, which is not something to brag about.[0]

> "Rust has absolutely stunning dependency management," one engineer enthused, noting that Rust's strategy took inspiration from npm's.

[0]https://rust-lang.org/static/pdfs/Rust-npm-Whitepaper.pdf

scuff3d|4 months ago

One of the biggest things that pushes me away from Rust is the reliance on micro dependencies. It's a terrible model.

maxloh|4 months ago

I come from a JavaScript background, and I've got to admit that the ecosystem is designed in a way that is really prone to attack.

It is like the xz incident, except that each dependency you pull is maintained by a random guy on the internet. You have to trust every one of them to be genuine and that they won't fall into any social engineering attacks.

TZubiri|4 months ago

Here's my black pill: Node in general is not safe.

The blurring of the client-server lines is a security risk. Very easy to expose the wrong thing; the language appeals to people who know 1 language (which correlates with lack of experience).

In my personal experience node projects developed under my supervision had very basic client-server boundary vulns 66.67% of the time. Empirically it's not great.

fragmede|4 months ago

Just a heads up that Pypi isn't immune from the same attack, with "Pypi supply chain attack" into Google revealing a (much smaller) number of packages that turned out to be malware. Some were not misspellings either, with one being a legitimate package that got hacked via GitHub Actions and a malicious payload added to the otherwise legitimate package.

graemep|4 months ago

Definitely, and you should be aware of the risk and think about and assess your dependencies.

Having a large standard library does reduce the number of dependencies, and you can go a long way using only well known dependencies.

tjpnz|4 months ago

No language ecosystem is but NPM/Node still encourages this idea (borrowed elsewhere and interpreted poorly) that everything must be its own tiny package and that it's acceptable to author libraries consisting of thousands of transitive dependencies from potentially dubious sources. Just this week I saw one (unmaintained dependency of a popular package) which consisted of a list of a dozen SQL operators. Anywhere else you would just write the damn code, maybe add a comment that these are the SQL-92 operators and be done with it literally forever. But in Node land that would be viewed as an antipattern which only another package can fix. It's a security and maintenance nightmare that can only be explained by laziness and outright stupidity.

azangru|4 months ago

> As a developer who has learnt programming as a hobby, is it better to stick to some other safe ways to develop front end like thyme leaf or plain js or something else.

Oh, absolutely, there is no question about it. Fewer dependencies means less headache; and if you can get the number of your dependencies to zero, then you have won the internet.

johnisgood|4 months ago

Sounds like... C.

unknown|4 months ago

[deleted]

nektro|4 months ago

this is one of the less talked about benefits of using bun

Defletter|4 months ago

How does Bun avoid this? Or is it more that Bun provides things that you'd otherwise need a dependency for (eg: websockets)?