Hundreds of code libraries posted to NPM try to install malware on dev machines
Hundreds of code libraries posted to NPM try to install malware on dev machines
These are not the the developer tools you think they are.
Why can't we have nice things instead.
Tale as old as time.
🎶 Beauty and the beast
I don't know much about NPM (having avoided JS as much as possible for my entire life), but golang seems to have a good solution: 'vendoring'. One can choose to lock all external dependencies to local snapshots brought into a project, with no automatic updating, but with the option to manually update them when desired.
NPM has that as well. In fact most languages and build tools support that. It's actually rare to not have support for that these days.
That won't prevent typo squatting. This article is a out people wanting to add a dependency to "famousLib" and instead typing "famusLib".
What probably help more in Go is the lack of a central repo so you actually need to "go get github.com/whoever..." so typo squatting is a bit be a bit more complicated.
On the other hand it will be an easy fix in NPM by simply adding a check to libraries names and reject names that are too similar since it's centralized.
I'm with you but I have regrettably been sucked into the node-i-verse against my will.
This should kill off NPM
You’d be surprised to see how many common libraries have vulnerabilities every week.
Why stop there lets just kill js in its entirity.
Does anyone know how JSR and Deno would do in this type of attack?
That's also why I always use dev containers