<
https://thenewstack.io/npm-security-woes-continue-amidst-a-series-of-cdn-attacks/>
"Seriously! It seems like every time I blink, the popular JavaScript package
manager, Node Package Manager (npm), has had a new security violation revealed.
Last year, WhiteSource, a leading open source security provider, declared a
playground for malicious actors. They were right.
For example, Darcy Clarke, a former staff engineering manager for the npm CLI
team, recently revealed a fundamental problem, dubbed “manifest confusion.”
Clarke explained, “This massive bug at the heart of the npm ecosystem” arises
from the lack of consistency between an archived package’s manifest files and
its included JSON metadata file. Making things even worse, the manifests are
never fully validated against the tarball’s contents.
I bet you assumed they were consistent. Well, you’re in good company. Everyone
did. At one time, we could trust each other. Those days are long gone."
Via Steven Vaughan-Nichols, who wrote "Maybe it’s just time for Javascript
programmers to give up on npm. Seriously."
Cheers,
*** Xanni ***
--
mailto:xanni@xanadu.net Andrew Pam
http://xanadu.com.au/ Chief Scientist, Xanadu
https://glasswings.com.au/ Partner, Glass Wings
https://sericyb.com.au/ Manager, Serious Cybernetics
