The NPM Registry's Safe Word is Socket (theregister.com) 17
An anonymous reader shares a report: Socket has found a way to protect developers from npm, GitHub's insufficiently safe JavaScript package manager, by wrapping it in a security blanket. The npm registry, operated by NPM until the security biz was acquired by Microsoft's GitHub in 2020, hosts software packages for the JavaScript ecosystem. It is, by its own account, "the world's largest software registry." In the past few years, the maliciously inclined have increasingly focused on compromising package registries like npm in what's known as a supply chain attack. Subverting a popular software library has the potential to enable widespread viral distribution. Those running the npm registry have put in place various defenses over the years, such as npm audit, a vulnerability scanning command in the npm command line interface (CLI). But the tool's implementation leaves something to be desired and developers often ignore audit warning messages, particularly if automated resolution doesn't work.
Socket built its own vulnerability scanning system and last year made it available for free (with paid tiers for teams and organizations) for open source projects. Its scanner runs as a GitHub app on code repositories when changes are made. It catches more issues than npm audit -- covering not just supply chain risk but also quality, maintenance, vulnerability, and license concerns. But Socket's scanner is also now available as a CLI that developers can install on their machines. On Thursday, Socket updated its CLI with a safe npm command that defends developers whenever they invoke npm install or npm uninstall, which perversely can install packages amid removing others. "npm creates what is called the 'ideal tree' for a given package.json," explained Feross Aboukhadijeh, told The Register. "So by removing a package you might actually change what the ideal tree is. Removing a package may remove a constraint which is keeping a package on an older version, so then npm may update those packages to a more ideal/recent version."
Socket built its own vulnerability scanning system and last year made it available for free (with paid tiers for teams and organizations) for open source projects. Its scanner runs as a GitHub app on code repositories when changes are made. It catches more issues than npm audit -- covering not just supply chain risk but also quality, maintenance, vulnerability, and license concerns. But Socket's scanner is also now available as a CLI that developers can install on their machines. On Thursday, Socket updated its CLI with a safe npm command that defends developers whenever they invoke npm install or npm uninstall, which perversely can install packages amid removing others. "npm creates what is called the 'ideal tree' for a given package.json," explained Feross Aboukhadijeh, told The Register. "So by removing a package you might actually change what the ideal tree is. Removing a package may remove a constraint which is keeping a package on an older version, so then npm may update those packages to a more ideal/recent version."
npm sucks (Score:5, Interesting)
It's a rat's nest of dependencies, unmaintained broken code, and ignored security vulnerabilities.
But it's fixed now! (Score:1)
Lookit! It's fixed! These "socket" guys wrapped a blankie around it! There, all sorted!
Er, no, of course it isn't. It's still a big fat turd, but now it's a turd with a blankie around it. That just soils the blankie. But there's no end of self-delusion in the javascript space.
Re: (Score:2)
Perfect for a dive bar!
Re: (Score:2)
npm is still very good, there is a reason it has become the "biggest repo ever" as the article claims (don't really know if that's true, it probably is some clickbaity exaggeration, but the reality is npm still rocks and turned out to be better than almost everything before. since, it has inspired more efficient analogues but it still has the critical mass).
then again software industry has taken it as a norm to recklessly exploit such a gem with often zero consideration not only to security, but to element
Re: (Score:2)
That's par for the course these days. Why should we expect a repository of 'modern' code to be any different?
I wonder if, someday, these kids will discover that they can actually write their own code...
yay npm! (Score:2)
Yeah, NPM is horrible. I use a project telling me to use npm as an indication to not touch the project. It's the best way possible that I can think of to end up with an unmaintainable mess.
If something needs npm and I simply must have it, it goes in a container on another host and I'll consider it a single-time install. It doesn't get updated, it gets replaced.
Re: (Score:3)
Yeah, NPM is horrible. I use a project telling me to use npm as an indication to not touch the project.
Ha ha, you're not the only one following this guidance! I look at NPM today the same way I looked at PHP 15 years ago...
"Safe word"? Really? (Score:3)
Did either the submitter or the editor here really think through what it implies for npm to have a safe word?
I am sure a lot of JS and Node critics will have a field day with those implications....
Re: (Score:2)
Now I'm just thinking of the implications of trying to think of a joke about a socket, and getting squicked instead. Wait, that didn't come out right. Wait...
I think a good safe-word⦠(Score:5, Funny)
Re: (Score:2, Offtopic)
This was my safe word https://www.berfrois.com/wp-co... [berfrois.com]
Re: (Score:3)
> Meatloaf
I bet you say that to all the guys.
Re: (Score:2)
Eh, I'm more a fan of "Sunstone"...
Author has no clue (Score:1)
That's not what "npm audit" is, nor how it works. The actual vulnerability scanning happens on the registry's side of the fence, all "npm audit" does is submit the current s