back to article One-in-two JavaScript project audits by NPM tools sniff out at least one vulnerability...

JavaScript library custodian NPM, after years of security scrambling, looks to be getting a grip on its code safety. There was that incident in May when NPM swiftly removed a backdoored package following complaints. No real damage was done. A month earlier, the bit-shifting biz added a "audit" command to v6 of npm, the …

  1. Ken Hagan Gold badge

    So do these guys now have a runtime model that lets you import a specific version of your packages? Last time I looked, JavaScript just sucked in whatever shit was current on some other guy's website and you picked up whatever malware they were distributing that day. The only way to be safe was to host absolutely everything that your code uses.

    1. Pascal Monett Silver badge

      Re: "The only way to be safe was to host absolutely everything that your code uses"

      And that is also the only way to be sure of what the hell your website is doing.

      I have never understood the mentality of all those who just outsourced half of their website code to people they don't know.

      But hey, what do I know ? I'm just an old programmer . . .

    2. Nolveys Silver badge
      Windows

      Last time I looked, JavaScript just sucked in whatever shit was current on some other guy's website and you picked up whatever malware they were distributing that day.

      Yup. I love visiting sites that don't work for reasons that don't require javascript, but use it anyway. Then I click on the NoScript button and briefly wonder domain(s) in the pages of schlarf would make the page work. Then I close the tab.

      1. bombastic bob Silver badge
        Trollface

        agreed on the 'noscript' usage, except this is NodeJS we're talking about (from what I read in the article), and so it's all server-side. Running 'noscript' has no effect on server-side stupidity JavaScript and its apparent bag of vulnerabilities.

        Server-side JavaScript is its OWN target for snark, disdain, and generally being made fun of.

    3. FF22

      Ignorant

      "Last time I looked, JavaScript just sucked in whatever shit was current on some other guy's website and you picked up whatever malware they were distributing that day."

      Then you must have looked a very, very long time ago, possibly in a galaxy far, far away: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

      1. Ken Hagan Gold badge

        Re: Ignorant

        Not *that* long ago (https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/) and the link you provide describes a technique that would not have helped in that case because "missing package" is exactly what an integrity check failure is required to look like. Then there is the fact that if you know exactly what you wish to import and refuse to import anything else, you might as well host it yourself rather than steal bandwidth.

        1. FF22

          Re: Ignorant

          " and the link you provide describes a technique that would not have helped in that case"

          The link I've provided was an answer to the nonsensical complaint about JavaScript loading "whatever shit was current on some other guy's website and you picked up whatever malware they were distributing that day". Which obviously has nothing to do with node.js in the first place, which does not have this problem, as it's not loading stuff from "some other guy's website".

          So, yeah, that technique would not have helped in the case... because that problem OP complained about doesn't even exist as such in node.js

  2. Doctor Syntax Silver badge

    One-in-two

    As good as that? I'd rate anything that depends on stuff from some arbitray third* party sites as vulnerable.

    * Higher ordinal numbers are available and may also apply.

    1. AnonFairBinary

      Re: One-in-two

      you mean like windows, mac, and linux? do you manually patch all your systems? really?

  3. WibbleMe

    its the technical term is called a dependency hell

    you cant upgrade because your core npm relies on an lower second npm that if you upgrade or

    downgrade either

    for example npm typescript with npm crodova or npm angular working together on the latest version, not going to happen

  4. el-keef

    Context lacking

    One problem with the npm vulnerability scans is that they don't take account of the context of the dependency inclusion.

    For example, a fresh out-of-the-box Angular 6 install will show several dependencies with vulnerabilities. But, if you look closer, some are only vulnerabilities if e.g. deployed on the server-side in Node.js, or if they hit production browser code. Within Angular they're only used as part of the build system which means they'll never see anything public facing, they never become part of the code actually used to provide a service to the end user, so will never cause any issues.

    While it's fantastic that tools like npm and Github are reporting library vulnerabilities, the trouble here is that you get 'boy-cried-wolf' syndrome. If everything is is always reporting security audit issues which are easy to ignore then the one that matters, when it happens, will be missed.

  5. Stevie Silver badge

    Bah!

    Javascript a security risk? Coo, hooda thunkit?

    I mean there have been all those cross-site scripting attacks.

    But fair's fair. I mean, the users had broken the unwritten law.

    Get Rid Of Useless Javascript Now!

    1. FF22

      Re: Bah!

      "Javascript a security risk?"

      You didn't even read the first few paragraphs of the article, did you?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019