NPM debug and chalk packages compromised

(www.aikido.dev)

1369 points universesquid | 3 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source

https://github.com/advisories/GHSA-8mgj-vmr8-frr6

Show context

gslepak ◴[08 Sep 25 18:26 UTC] No.45171930[source]▶

>>45169657 (OP) #

Tips to protect yourself from supply-chain attacks in the JavaScript ecosystem:

- Don't update dependencies unless necessary

- Don't use `npm` to install NPM packages, use Deno with appropriate sandboxing flags

- Sign up for https://socket.dev and/or https://www.aikido.dev

- Work inside a VM

replies(2): >>45172162 #>>45174619 #

egorfine ◴[08 Sep 25 22:03 UTC] No.45174619[source]▶

>>45171930 #

> Don't update dependencies unless necessary

And get yourself drowning in insurmountable technical debt in about two months.

JS ecosystems moves at an extremely fast pace and if you don't upgrade packages (semi) daily you might inflict a lot of pain on you once a certain count of packages start to contain incompatible version dependencies. It sucks a lot, I know.

replies(2): >>45175130 #>>45176452 #

lpribis ◴[08 Sep 25 22:49 UTC] No.45175130[source]▶

>>45174619 #

Updating packages daily (!) is insane to me as someone from the other end of the programming spectrum (embedded C). Is this really the recommended practice?

replies(3): >>45175205 #>>45175419 #>>45179818 #

1. egorfine ◴[08 Sep 25 23:21 UTC] No.45175419{3}[source]▶

>>45175130 #

It is insane to me as a C programmer as well. It is something I got used to as a frontend js developer.

It so recommend to stay on top of the dependencies and for different stacks this means different update schedule. For some, daily is indeed a good choice.

replies(1): >>45188805 #

2. 1718627440 ◴[09 Sep 25 20:48 UTC] No.45188805[source]▶

>>45175419 (TP) #

Even if there is a new version every day, not every release is born equal. Wouldn't updating while developing to "stay on top of dependencies" only be necessary on a major version? Surely there is not a major version per day. I mean otherwise you would use a library, that constantly imposes work on you and it would probably make more sense to write the library yourself. Minor versions and bugfixes can be incorporated when you do your release.

replies(1): >>45194761 #

3. egorfine ◴[10 Sep 25 08:16 UTC] No.45194761[source]▶

>>45188805 #

All I want to say is that it's truly cheaper to upgrade and test daily in the world or javascript. Seriously, it breaks rarely and you can immediately spot what exactly failed and fix it right away.

Upgrading after a month will take some serious time.

↑