alt Hacker News>Running npm install is not negligence. Installing dependencies is not a security failure. The security failure is in an ecosystem that allows packages to run arbitrary code silently.
No, your security failure is that you use a package manager that allows third-parties push arbitrary code into your product with no oversight. You only have "secutity" to the extent that you can trust the people who control those packages to act both competently and in good faith ad infinitum.
Also the OP seemingly implies credentials are stored on-filesystem in plaintext but I might be extrapolating too much there.
Replies
> Running npm install is not negligence. Installing dependencies is not a security failure. The security failure is in an ecosystem that allows packages to run arbitrary code silently.
This is wildly circular logic!
"One person using these tools isn't bad security practice, the problem is that EVERYONE ELSE ["the ecosystem"] uses these tools and doesn't have higher standards!"
It should be no shock to anyone at this point that huge chunks of common developer tools have very poor security profiles. We've seen stories like this many times.
If you care, you need to actually care!
Same thing with IDE plugins. At least some are full-featured by the manufacturer, but I couldn't get on with VS Code as for every small feature I had to install some random plugin (even if popular, but still developed by who-knows-who).
> No, your security failure is that you use a package manager that allows third-parties push arbitrary code into your product with no oversight.
Could you explain how you'd design a package manager that does not allow that? As far as I understand the moment you use third party code you have to trust to some extent the code that you will run.
> Also the OP seemingly implies credentials are stored on-filesystem in plaintext but I might be extrapolating too much there.
Doesn't really matter, if the agent is unlocked they can be accessed.
> Also the OP seemingly implies credentials are stored on-filesystem in plaintext but I might be extrapolating too much there.
To be fair, some tools only support a netrc file for http(s) based auth. Regardless, if you want to use git via http this vector exists almost always.
It wasn't in their product. It was just on a devs machine
>> The security failure is in an ecosystem that allows packages to run arbitrary code silently.
> No, your security failure is that you use a package manager that allows third-parties push arbitrary code into your product with no oversight.
How about both? It’s conceptually straightforward to build a language in which code cannot do anything other than read its inputs, consume resources, and produce correctly typed output.
This would not fully solve the supply chain problem — malicious code could produce maliciously incorrect output or exploit side channels, but the exposure would be much, much less than it is now.