(www.aikido.dev)

1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0.202s | source

https://github.com/advisories/GHSA-8mgj-vmr8-frr6

Show context

gslepak ◴[08 Sep 25 18:26 UTC] No.45171930[source]▶

>>45169657 (OP) #

Tips to protect yourself from supply-chain attacks in the JavaScript ecosystem:

- Don't update dependencies unless necessary

- Don't use `npm` to install NPM packages, use Deno with appropriate sandboxing flags

- Sign up for https://socket.dev and/or https://www.aikido.dev

- Work inside a VM

replies(2): >>45172162 #>>45174619 #

egorfine ◴[08 Sep 25 22:03 UTC] No.45174619[source]▶

>>45171930 #

> Don't update dependencies unless necessary

And get yourself drowning in insurmountable technical debt in about two months.

JS ecosystems moves at an extremely fast pace and if you don't upgrade packages (semi) daily you might inflict a lot of pain on you once a certain count of packages start to contain incompatible version dependencies. It sucks a lot, I know.

replies(2): >>45175130 #>>45176452 #

gslepak ◴[09 Sep 25 01:45 UTC] No.45176452[source]▶

>>45174619 #

> daily

Somehow we've survived without updating dependencies for probably at least a year.

replies(1): >>45179695 #

egorfine ◴[09 Sep 25 09:35 UTC] No.45179695[source]▶

>>45176452 #

Then you probably have over a dozen CVEs in your code. Now, this is a different question whether they are exploitable and how much it is a risk.

Other than that you now probably have an insurmountable technical debt and upgrading the dependencies is a project of itself.

All the above applies to JavaScript world, of course. It's much different for the rest.

replies(3): >>45179966 #>>45188826 #>>45191383 #

1. yread ◴[09 Sep 25 10:13 UTC] No.45179966[source]▶

>>45179695 #

   content-security-policy: default-src 'self';

(and not sending crypto transactions): No need to worry about CVEs in js

↑

NPM debug and chalk packages compromised