←back to thread

Malicious versions of Nx and some supporting plugins were published

(github.com)
441 points longcat | 9 comments | 27 Aug 25 01:38 UTC | HN request time: 0.001s | source | bottom
Show context
f311a ◴[27 Aug 25 12:55 UTC] No.45038992[source]
People really need to start thinking twice when adding a new dependency. So many supply chain attacks this year.

This week, I needed to add a progress bar with 8 stats counters to my Go project. I looked at the libraries, and they all had 3000+ lines of code. I asked LLM to write me a simple progress report tracking UI, and it was less than 150 lines. It works as expected, no dependencies needed. It's extremely simple, and everyone can understand the code. It just clears the terminal output and redraws it every second. It is also thread-safe. Took me 25 minutes to integrate it and review the code.

If you don't need a complex stats counter, a simple progress bar is like 30 lines of code as well.

This is a way to go for me now when considering another dependency. We don't have the resources to audit every package update.

replies(17): >>45039115 #>>45039225 #>>45039464 #>>45039724 #>>45039994 #>>45040021 #>>45040056 #>>45040113 #>>45040151 #>>45040162 #>>45040972 #>>45041479 #>>45041745 #>>45044165 #>>45045435 #>>45045983 #>>45052913 #
littlecranky67 ◴[27 Aug 25 14:13 UTC] No.45040021[source]
We are using NX heavily (and are not affected) in my teams in a larger insurance company. We have >10 standalone line of business apps and 25+ individual libraries in the same monorepo, managed by NX. I've toyed with other monorepo tools for these kind of complex setup in my career (lerna, rushjs, yarn workspaces) but not only did none came close, lerna is basically handed over to NX, and rushjs is unmaintained.

If you have any proposal how to properly manage the complexity of a FE monorepo with dozens of daily developers involved and heavy CI/CD/Devops integration, please post alternatives - given that security incident many people are looking.

replies(4): >>45040196 #>>45040204 #>>45040812 #>>45043158 #
1. threetonesun ◴[27 Aug 25 14:26 UTC] No.45040196[source]
npm workspaces and npm scripts will get you further than you might think. Plenty of people got along fine with Lerna, which didn't do much more than that, for years.

I will say, I was always turned off by NX's core proposition when it launched, and more turned off by whatever they're selling as a CI/CD solution these days, but if it works for you, it works for you.

replies(3): >>45040490 #>>45040941 #>>45040987 #
2. crabmusket ◴[27 Aug 25 14:48 UTC] No.45040490[source]
I'd recommend pnpm over npm for monorepos. Forcing you to be explicit about each package's dependencies is good.

I found npm's workspace features lacking in comparison and sparsely documented. It was also hard to find advice on the internet. I got the sense nobody was using npm workspaces for anything other than beginner articles.

replies(2): >>45040634 #>>45040777 #
3. dboreham ◴[27 Aug 25 14:59 UTC] No.45040634[source]
After 10 years or so enduring the endless cycle of "new thing to replace npm", I'm using: npm. And I'm not creating monorepos.
replies(1): >>45051259 #
4. threetonesun ◴[27 Aug 25 15:08 UTC] No.45040777[source]
In the context of what we're talking about here, using the default package manger to install a different package manger as a dependency has never quite sat right with me.

And npm workspaces is certainly "lacking features" compared to NX, but in terms of making `npm link` for local packages easier and running scripts across packages it does fine.

replies(1): >>45051248 #
5. littlecranky67 ◴[27 Aug 25 15:21 UTC] No.45040941[source]
I've burried npm years ago, we are happily using yarn (v4 currently) in that project. Which also means, even if we were affected by the malware, noboday uses the .npmrc (we have a .yarnrc.yml instead) :)
6. littlecranky67 ◴[27 Aug 25 15:24 UTC] No.45040987[source]
Killer feature of NX is its build cache and the ability to operate on the git staged files. It takes a couple of minutes to build our entire repo on an M4 Pro. NX caches the builds of all libs and will only rebuild those that are affected. Same holds true for linting, prettier, tests etc. Any solution that just executes full builds would be a no-starter for all use cases.
replies(1): >>45041336 #
7. halflife ◴[27 Aug 25 15:52 UTC] No.45041336[source]
Don’t forget task dependency tree, without that you will have a ton of build scripts
8. crabmusket ◴[28 Aug 25 12:17 UTC] No.45051248{3}[source]
Yes, I've found the experience of getting pnpm quite irritating/confusing. Corepack doesn't seem to work the way I would want it to, either.
9. crabmusket ◴[28 Aug 25 12:18 UTC] No.45051259{3}[source]
I was happily using npm until I outgrew it. pnpm seemed the smallest step towards what I needed after having evaluated nx, moonrepo etc.