alt Hacker NewsThis seems to be primarily a problem with NPM, since it's the only package manager that I know of that allows for package authors to essentially run arbitrary post-install scripts silently package install.
Shai Hulud/Mini Shai Hulud happened because of this obvious glaring hole in the system, they even had the script to download an official copy of Bun to spread itself in case the targeted machine has hardened their security. So, the real question is not what other security features does a package manager need, it should be: why does a package manager have the ability to let package authors run arbitrary scripts silently on other people's computer in the first place?
It doesn't really matter how good your security system is if the front door is left wide open for anyone to walk through.
Replies
(Author here). It isn’t a matter of pre-install hooks. I don’t want known malware on my system irrespective of whether it runs at install-time or not. Pre-install hooks are going away in NPM, but we will have code injected in index.js next.
Modern package managers are not amenable to letting another script override its resolutions, and that is what needs fixing.
I agree with your premise.
I’d even say perhaps we need a fine grained permission system like Apple provides, but for clis, not just something limited to maintainers of package managers.
pypi/pip are also being hit by a supply chain epidemic.
> since it's the only package manager that I know of that allows for package authors to essentially run arbitrary post-install scripts silently package install
Are you sure? I'm pretty sure .deb and .rpm packages both allow that