NPM debug and chalk packages compromised

(www.aikido.dev)

1369 points universesquid | 2 comments | 08 Sep 25 15:37 UTC | HN request time: 0.406s | source

https://github.com/advisories/GHSA-8mgj-vmr8-frr6

Show context

a022311 ◴[08 Sep 25 17:15 UTC] No.45170937[source]▶

After all these incidents, I still can't understand why package registries don't require cryptographic signatures on every package. It introduces a bit more friction (developers downloading CI artifacts and manually signing and uploading them), but it prevents most security incidents. Of course, this can fail if it's automated by some CI/CD system, as those are apparently easily compromised.

replies(5): >>45171165 #>>45171479 #>>45175846 #>>45177751 #>>45180040 #

parliament32 ◴[08 Sep 25 17:31 UTC] No.45171165[source]▶

>>45170937 #

Real registries do[1], npm is just amateur-hour which is why its usage is typically forbidden in enterprise contexts.

[1] https://www.debian.org/doc/manuals/securing-debian-manual/de...

replies(3): >>45171532 #>>45171856 #>>45176279 #

9dev ◴[08 Sep 25 18:19 UTC] No.45171856[source]▶

>>45171165 #

In all fairness—npm belongs to GitHub, which belongs to Microsoft. Amateur-hour is both not a valid excuse anymore, and also a boring explanation. GitHub is going to great lengths to enable SLSA attestations for secure tool chains; there must be systemic issues in the JS ecosystem that make an implementation of proper attestations infeasible right now, everything else wouldn't really make sense.

So if we're discussing anything here, why not what this reason is, instead of everyone praising their favourite package registry?

replies(2): >>45172100 #>>45173733 #

parliament32 ◴[08 Sep 25 18:40 UTC] No.45172100[source]▶

>>45171856 #

The NPM team has repeatedly commented that it's "too hard", effectively, and would discourage new developers from publishing packages. See:

https://github.com/npm/npm/pull/4016#issuecomment-76316744

https://news.ycombinator.com/item?id=38645969

https://github.com/npm/cli/commit/5a3b345d6d5d175ea9ec967364...

replies(3): >>45172668 #>>45173859 #>>45175601 #

jiggawatts ◴[08 Sep 25 23:44 UTC] No.45175601[source]▶

>>45172100 #

> discourage new developers from publishing packages

Good.

replies(2): >>45179909 #>>45182822 #

1. yread ◴[09 Sep 25 10:06 UTC] No.45179909[source]▶

>>45175601 #

It's not like these packages are super sophisticated million LOCs masterpieces. ansi-regex is literally just this:

    export default function ansiRegex({onlyFirst = false} = {}) {
 // Valid string terminator sequences are BEL, ESC\, and 0x9c
 const ST = '(?:\\u0007|\\u001B\\u005C|\\u009C)';

 // OSC sequences only: ESC ] ... ST (non-greedy until the first ST)
 const osc = `(?:\\u001B\\][\\s\\S]*?${ST})`;

 // CSI and related: ESC/C1, optional intermediates, optional params (supports ; and :) then final byte
 const csi = '[\\u001B\\u009B][[\\]()#;?]*(?:\\d{1,4}(?:[;:]\\d{0,4})*)?[\\dA-PR-TZcf-nq-uy=><~]';

 const pattern = `${osc}|${csi}`;

 return new RegExp(pattern, onlyFirst ? undefined : 'g');
}

replies(1): >>45188586 #

2. 1718627440 ◴[09 Sep 25 20:37 UTC] No.45188586[source]▶

>>45179909 (TP) #

   ... | wc -c
   592

592 bytes of code including comments and whitespace versus which amount of overhead in package description, tarball caches, etc...?

↑