←back to thread

Malicious versions of Nx and some supporting plugins were published

(github.com)
441 points longcat | 3 comments | 27 Aug 25 01:38 UTC | HN request time: 0s | source
Show context
f311a ◴[27 Aug 25 12:55 UTC] No.45038992[source]
People really need to start thinking twice when adding a new dependency. So many supply chain attacks this year.

This week, I needed to add a progress bar with 8 stats counters to my Go project. I looked at the libraries, and they all had 3000+ lines of code. I asked LLM to write me a simple progress report tracking UI, and it was less than 150 lines. It works as expected, no dependencies needed. It's extremely simple, and everyone can understand the code. It just clears the terminal output and redraws it every second. It is also thread-safe. Took me 25 minutes to integrate it and review the code.

If you don't need a complex stats counter, a simple progress bar is like 30 lines of code as well.

This is a way to go for me now when considering another dependency. We don't have the resources to audit every package update.

replies(17): >>45039115 #>>45039225 #>>45039464 #>>45039724 #>>45039994 #>>45040021 #>>45040056 #>>45040113 #>>45040151 #>>45040162 #>>45040972 #>>45041479 #>>45041745 #>>45044165 #>>45045435 #>>45045983 #>>45052913 #
wat10000 ◴[27 Aug 25 13:13 UTC] No.45039225[source]
Part of the value proposition for bringing in outside libraries was: when they improve it, you get that automatically.

Now the threat is: when they “improve” it, you get that automatically.

left-pad should have been a major wake up call. Instead, the lesson people took away from it seems to have mostly been, “haha, look at those idiots pulling in an entire dependency for ten lines of code. I, on the other hand, am intelligent and thoughtful because I pull in dependencies for a hundred lines of code.”

replies(2): >>45039649 #>>45040119 #
chuckadams ◴[27 Aug 25 14:21 UTC] No.45040119[source]
So, what's the acceptable LOC count threshold for using a library?

Maybe scolding and mocking people isn't a very effective security posture after all.

replies(2): >>45040731 #>>45042129 #
1. wat10000 ◴[27 Aug 25 16:56 UTC] No.45042129[source]
Time for everybody's favorite engineering answer: it depends! You have to weigh the cost/benefit tradeoff. But you have to do it in full awareness of the costs, including potential costs from packages being taken down, broken, or subverted. In any case, for an external dependency, 100 lines is way too low of a benefit.

I'm not trying to be effective, I'm just lamenting. Maybe being sarcastic isn't a very effective way to get people to be effective?

replies(1): >>45043338 #
2. chuckadams ◴[27 Aug 25 18:38 UTC] No.45043338[source]
Naw, sarcasm totally works... ;)

I'd say it all depends -- there's that word again -- on what those 100 LOC are expressing. I suppose one could still copy/paste such a small amount of code, but I'd rather just check in some subset of vendored dependencies. Or maybe just pin the dependency to a commit hash (since we can't depend on version tags being immutable). Something actionable beyond peer pressure at any rate.

replies(1): >>45044777 #
3. wat10000 ◴[27 Aug 25 20:29 UTC] No.45044777[source]
There are definitely 100-line chunks of code I wouldn't want to rewrite from scratch. They also tend not to be the sort of thing that needs a lot of updates, so a copy/paste job ought to do the job.

The big advantage with a dependency manager is that you don't have to find all of the dependency's dependencies, figure out the right build settings, etc. That's super helpful when it's huge, but it's not really doing anything for you when it's small.