(www.aikido.dev)

1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source

https://github.com/advisories/GHSA-8mgj-vmr8-frr6

Show context

simpaticoder ◴[08 Sep 25 16:41 UTC] No.45170488[source]▶

I've come to the conclusion that avoiding the npm registry is a great benefit. The alternative is to import packages directly from the (git) repository. Apart from being a major vector for supply-chain attacks like this one, it is also true that there is little or no coupling between the source of a project and its published code. The 'npm publish' step takes pushes local contents into the registry, meaning that a malefactor can easily make changes to code before publishing.

replies(5): >>45170843 #>>45171235 #>>45171399 #>>45172081 #>>45175895 #

HexDecOctBin ◴[08 Sep 25 17:36 UTC] No.45171235[source]▶

>>45170488 #

As a C developer, having being told for a decade that minimising dependencies and vendoring stuff straight from release is obsolete and regressive, and now seeing people have the novel realisation that it's not, is so so surreal.

Although I'll still be told that using single-header libraries and avoiding the C standard library are regressive and obsolete, so gotta wait 10 more years I guess.

replies(3): >>45172438 #>>45173360 #>>45188476 #

dpc_01234 ◴[08 Sep 25 20:15 UTC] No.45173360[source]▶

>>45171235 #

NPM dev gets hacked, packages compromised, it's detected within couple of hours.

XZ got hacked, it reached development versions of major distributions undetected, right inside an _ssh_, and it only got detected due to someone luckily noticing and investigated slow ssh connections.

Still some C devs will think it's a great time to come out and boast about their practices and tooling. :shrug:

replies(2): >>45173977 #>>45175911 #

1. typpilol ◴[09 Sep 25 00:26 UTC] No.45175911[source]▶

>>45173360 #

Lol it's so true.. the C smugness is unmatched

↑

NPM debug and chalk packages compromised