15 comments

  • zihotki 6 minutes ago

    If everyone starts applying cooldowns, won't it postpone the problem? So now there is a considerable amount of users who are affected and someone from the affected group discovers the infection and reports it.

    But if everyone will be delaying updates, won't be there less chances to catch it in time? I'm not fully sure if it's possible to preventively scan all NPM packages or how much compute it would require.

      oakesm9 5 minutes ago

      I think the idea is that it gives a bit of time for the companies which run automated scans of new versions to run through and detect any issues with new versions before users install them en-mass.

      roblabla 4 minutes ago

      The goal is to give time for automated scanners ran by cybersecurity companies to flag malware before it gets installed on real users.

  • ashu1461 17 minutes ago

    This makes me think whether npm (and other registries) should apply security requirements based on ecosystem impact. Example a package having millions of downloads can have special security measures enforced.

      madeofpalk 16 minutes ago

      What would be a security measure that should only be selectively enforced?

        toomuchtodo 14 minutes ago

        Higher cost (“Mythos” vs static code analysis) vulnerability scanning prior to successful merge to main branch or deployment as an artifact. As risk increases, increase scrutiny on subject code to lower residual risk.

        (application security and vulnerability management is a component of my work in financial services)

  • insanitybit 39 minutes ago

    What a state of things where we have to fear installing software, and rely on vendors to scan things ahead of time, because our supply chain is such a mess and our tooling is so incapable of (and uninterested in) protecting us.

      Insimwytim 29 minutes ago

      You cannot call it a supply chain, if you have zero contractual relationships with the authors of the solutions you are using.

      [1] https://news.ycombinator.com/item?id=44434355

        stingraycharles 15 minutes ago

        I mean, that’s just arguing over whether or not the definition of “supply” implies “compensation”, which isn’t very interesting imho.

        The grandparent’s point remains the same, the software ecosystem and its supply chain or however you want to call it is a hot mess.

          xgulfie 7 minutes ago

          Traditionally the term "supply chain" has implied a buyer/seller relationship

        cryo32 27 minutes ago

        Oh that one really makes you think doesn’t it.

      madeofpalk 17 minutes ago

      What would a solution to this look like?

      What would it take to not fear installing software? This isn't a npm problem, its a computing problem in general. Spaces like this are generally pretty against any sort of restrictions or limitations being put on computers under the name of safety (see Manifest v3)

        jchw 12 minutes ago

        Manifest v3's actual motive was so shamelessly transparent that most of us just don't allow the "safety" argument for it to really be entertained. I don't have a suspension of disbelief rich enough to pretend I don't know.

      sunaookami 32 minutes ago

      No way to prevent this says only package manager where this regularly happens.

  • cadamsdotcom 7 minutes ago

    "We don't call 'em 0days any more, now we call 'em 3days"