23 votes

Details about the event-stream incident

3 comments

  1. [2]
    balooga
    Link
    I have a bad feeling this is just the beginning. The Node.js ecosystem has some serious systemic problems and we're only in the early stages of seeing them exploited. I think there should be a...

    I have a bad feeling this is just the beginning. The Node.js ecosystem has some serious systemic problems and we're only in the early stages of seeing them exploited.

    I think there should be a trusted tracker of incidents like these with its own npm module. Something that would serve as a notification mechanism for developers. All you would need to do is include the module in your application and whenever you build it'll do a quick check of all your dependencies and compare them against the master list of known malware. If a match is found, your build fails and you get a link to details, with possible solutions (like trusted alternative modules or known-safe earlier versions of the compromised ones) recommended. It would be a little like HaveIBeenPwned for the JS world.

    Actually I'd be surprised if this doesn't already exist. I don't have my finger on the pulse of that scene. Seems like this, if implemented well, could go a long way toward mitigating widespread incidents like event-stream.

    5 votes
    1. [2]
      Comment deleted by author
      Link Parent
      1. balooga
        Link Parent
        Brilliant! I knew I wasn't that clever. I'll read up on this, thanks for the link!

        Brilliant! I knew I wasn't that clever. I'll read up on this, thanks for the link!

        2 votes
  2. teaearlgraycold
    Link
    It might be easier to build a JS package without these malicious dependencies sneaking in if JS had a proper standard library. I think Google is the only entity positioned to make this happen -...

    It might be easier to build a JS package without these malicious dependencies sneaking in if JS had a proper standard library. I think Google is the only entity positioned to make this happen - they control V8 (the JS engine in Node) and Chrome (the most popular browser, which uses V8 for its JS execution).

    If Google made a full stdlib (like Python's), and provided it by default in Node and Chrome, we might finally be able to fix this shitshow. The version bundled in the browser would exclude anything using syscalls and there would need to be a (large) polyfill for other browsers. But I could see Mozilla and other proper browsers getting on board.

    4 votes