←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 5 comments | 08 Sep 25 15:37 UTC | HN request time: 0.001s | source
Show context
gslepak ◴[08 Sep 25 18:26 UTC] No.45171930[source]
Tips to protect yourself from supply-chain attacks in the JavaScript ecosystem:

- Don't update dependencies unless necessary

- Don't use `npm` to install NPM packages, use Deno with appropriate sandboxing flags

- Sign up for https://socket.dev and/or https://www.aikido.dev

- Work inside a VM

replies(2): >>45172162 #>>45174619 #
egorfine ◴[08 Sep 25 22:03 UTC] No.45174619[source]
> Don't update dependencies unless necessary

And get yourself drowning in insurmountable technical debt in about two months.

JS ecosystems moves at an extremely fast pace and if you don't upgrade packages (semi) daily you might inflict a lot of pain on you once a certain count of packages start to contain incompatible version dependencies. It sucks a lot, I know.

replies(2): >>45175130 #>>45176452 #
1. gslepak ◴[09 Sep 25 01:45 UTC] No.45176452[source]
> daily

Somehow we've survived without updating dependencies for probably at least a year.

replies(1): >>45179695 #
2. egorfine ◴[09 Sep 25 09:35 UTC] No.45179695[source]
Then you probably have over a dozen CVEs in your code. Now, this is a different question whether they are exploitable and how much it is a risk.

Other than that you now probably have an insurmountable technical debt and upgrading the dependencies is a project of itself.

All the above applies to JavaScript world, of course. It's much different for the rest.

replies(3): >>45179966 #>>45188826 #>>45191383 #
3. yread ◴[09 Sep 25 10:13 UTC] No.45179966[source]

   content-security-policy: default-src 'self';
(and not sending crypto transactions): No need to worry about CVEs in js
4. 1718627440 ◴[09 Sep 25 20:49 UTC] No.45188826[source]
If a library introduces CVEs per day, it's probably not so good to begin with.
5. gslepak ◴[10 Sep 25 00:14 UTC] No.45191383[source]
> Then you probably have over a dozen CVEs in your code.

We continuously monitor our dependencies for CVEs and update them if necessary. Most of the time the CVEs that are reported are not relevant / worth updating for.