←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 5 comments | 16 Sep 25 11:22 UTC | HN request time: 0.001s | source
Show context
jbd0 ◴[16 Sep 25 11:50 UTC] No.45260954[source]
I knew npm was a train wreck when I first used it years ago and it pulled in literally hundreds of dependencies for a simple app. I avoid anything that uses it like the plague.
replies(3): >>45260975 #>>45261085 #>>45261124 #
oVerde ◴[16 Sep 25 11:51 UTC] No.45260975[source]
So basically you live JavaScript free?
replies(4): >>45260998 #>>45261034 #>>45261487 #>>45261734 #
Xelbair ◴[16 Sep 25 11:57 UTC] No.45261034[source]
as much as i can yes.

I try to avoid JS, as it is a horrible language, by design. That does include TS, but it at least is useable, but barely - because it still tied to JS itself.

replies(3): >>45261071 #>>45261213 #>>45261604 #
hoppp ◴[16 Sep 25 12:57 UTC] No.45261604[source]
Lucky you. I keep coming back to it because jobs and even for desktop apps a native webview beats everything else.

We fcked up with js, big time and its with us forever now

replies(3): >>45261698 #>>45261995 #>>45281955 #
1. sfn42 ◴[16 Sep 25 13:29 UTC] No.45261995{3}[source]
I was hyped for wasm because i thought it was supposed to solve this problem, allowing any programming language to be compiled to run in browsers.

But apparently they only made it do like 95% of what JS does so you can't actually replace js with it. To me it seems like a huge blunder. I don't give a crap about making niche applications a bit faster, but freeing the web from the curse of JS would be absolutely huge. And they basically did it except not quite. It's so strange to me, why not just go the extra 5%?

replies(3): >>45262081 #>>45265200 #>>45272185 #
2. hoppp ◴[16 Sep 25 13:36 UTC] No.45262081[source]
Maybe its something about sharing memory with the js that would introduce serious vulnerabilities so they can't let wasm code have access to everything.

The only way to remove Js is to create a new browser that doesn't use it. Fragments the web, yes and probably nobody will use it

3. lyu07282 ◴[16 Sep 25 17:29 UTC] No.45265200[source]
That 5% of js glue code necessary right now is just monumentally difficult to get rid of, it's like a binary serialization / interface (ABI) of all DOM/BOM APIs and these APIs are huge, dynamic, callback-heavy and object-oriented. It's much easier to have that glue compiler generated, which you can already do right now (you can write your entire web app in rust if you want):

https://github.com/wasm-bindgen/wasm-bindgen https://docs.rs/web-sys/latest/web_sys/

This is also being worked on, in the future this 5% glue might eventually entirely disappear:

> Designed with the "Web IDL bindings" proposal in mind. Eventually, there won't be any JavaScript shims between Rust-generated wasm functions and native DOM methods

4. joquarky ◴[17 Sep 25 05:44 UTC] No.45272185[source]
The DOM is fundamentally dependent upon JS shaped data structures and garbage collection. They are BFFs.

Any attempt to bypass this will be perilous.

replies(1): >>45272397 #
5. sfn42 ◴[17 Sep 25 06:20 UTC] No.45272397[source]
So we'd need a new DOM, seems feasible