←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source
Show context
gslepak ◴[08 Sep 25 18:26 UTC] No.45171930[source]
Tips to protect yourself from supply-chain attacks in the JavaScript ecosystem:

- Don't update dependencies unless necessary

- Don't use `npm` to install NPM packages, use Deno with appropriate sandboxing flags

- Sign up for https://socket.dev and/or https://www.aikido.dev

- Work inside a VM

replies(2): >>45172162 #>>45174619 #
egorfine ◴[08 Sep 25 22:03 UTC] No.45174619[source]
> Don't update dependencies unless necessary

And get yourself drowning in insurmountable technical debt in about two months.

JS ecosystems moves at an extremely fast pace and if you don't upgrade packages (semi) daily you might inflict a lot of pain on you once a certain count of packages start to contain incompatible version dependencies. It sucks a lot, I know.

replies(2): >>45175130 #>>45176452 #
lpribis ◴[08 Sep 25 22:49 UTC] No.45175130[source]
Updating packages daily (!) is insane to me as someone from the other end of the programming spectrum (embedded C). Is this really the recommended practice?
replies(3): >>45175205 #>>45175419 #>>45179818 #
1. acdha ◴[08 Sep 25 22:57 UTC] No.45175205{3}[source]
It varies but there are a lot of tools built around the idea of rapid updates so things like APIs can change quickly throughout a far more fragmented ecosystem. I suspect that we’re going to see a lot of places back off of that a bit to have something like monthly update cycles where there’s more time for scanning and review while still expecting people to upgrade more frequently than used to be common.