Programming

26958 readers

1280 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Follow the programming.dev instance rules
Keep content related to programming in some way
If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 2 years ago

MODERATORS

snowe@programming.dev

Ategon@programming.dev

UlrikHD@programming.dev

bugsmith@programming.dev

Spyro@programming.dev

188

‘No Way To Prevent This,’ Says Only Package Manager Where This Regularly Happens (kevinpatel.xyz)

submitted 20 hours ago by HaraldvonBlauzahn@feddit.org to c/programming@programming.dev

39 comments fedilink hide all child comments

SAN FRANCISCO, CA - In the wake of a devastating supply chain attack in the npm registry that left millions of enterprise applications compromised and billions of user records exposed, developers across the JavaScript ecosystem expressed deep sorrow today, lamenting that such a crisis was completely unavoidable.

“It’s a shame, but what can you do? This is just the price of building modern web apps,” said Senior Frontend Engineer Mark Vance, echoing the sentiments of a community that completely relies on a 40-level-deep nested tree of unvetted packages maintained by pseudonymous strangers to capitalize a single string. “There’s absolutely no way to foresee or prevent someone from taking over a long-abandoned utility package and injecting a crypto-miner into every production build in the world. It’s just an act of nature.”

you are viewing a single comment's thread
view the rest of the comments

[–] ijhoo@lemmy.ml 1 points 9 hours ago (3 children)

what would be a possible alternative?

going directly to repos of e.g. tanstack?

[–] sus@programming.dev 8 points 7 hours ago* (last edited 7 hours ago)

The simplest fix is a delay between an update being pushed and the update being deployed everywhere. Several orgs are scanning all popular dependencies for supply chain attacks and they usually catch them quickly, just not quickly enough when there is no delay.

[–] NostraDavid@programming.dev 3 points 8 hours ago

Vet certain versions of packages, and use those whenever you can, also for subdependencies. Effectively create 'stable' versions of packages that are guaranteed safe to use.

Yes, it'll be a ton of extra work, but that's the price for security.

[–] GreenKnight23@lemmy.world 3 points 9 hours ago (1 children)

it works for c libs...

[–] iglou@programming.dev 2 points 9 hours ago* (last edited 8 hours ago) (1 children)

And this is one of the reasons C is not more popular. C is not a model for modern programming.

[–] mabeledo@lemmy.world 3 points 6 hours ago

I don’t know why it wouldn’t. This is the model Go uses, their package registry is just a glorified index of code repositories.

C is not that popular nowadays because most devs don’t want to deal with the tradeoffs, most importantly memory handling and management.