Hacker News new | past | comments | ask | show | jobs | submit login

either because they think they have a bigger potential audience if Node is used, or because Node is what they know best.



I mean given how prevalent Node is for frontend theres a high possibility you could compromise a big enterprise companies proprietary code.


I think you can make a case that Node/NPM is more vulnerable to this than usual due to the huge number of packages pulled in by even simple applications. Can anybody really audit what 10k different packages are doing, and if any of them has had malicious code snuck in at some point?


It's not just more vulnerable, it's incredibly so.


It's not more vulnerable, it's as-vulnerable as any other package manager where anyone may upload code without sufficient review for people to blindly install and run.

We have already seen this abused in browser extensions being repurposed to inject advertising, in node and ruby modules being converted to malware, cryptocurrency miners being added to games on Steam etc. There was even a Nintendo Switch game that bundled a Ruby IDE, I believe iOS has had apps surreptitiously bundling other software too.


Which platform do you use which does not rely on large amounts of open source libraries?


Powershell has a security model. Also, Ryan Dahl (creator of node.js) is working on Deno as a replacement because he thinks he made a mistake with node.

10 Things I Regret About Node.js - Ryan Dahl https://www.youtube.com/watch?v=M3BM9TB-8yA


Ryan is one person and not involved with node anymore. Deno also has many mistakes IMO, so fine to agree to disagree on this one.


Interesting. You think he is making mistakes again? He complains about "second system syndrome." I've been using Deno for hobby projects and find a lot to like about it.


There's a bit more to it than that. The article touches on the fact that whats on npm doesn't have to match with what's on github (which is true for any package system that isn't 100% backed by source control).


It is also a rather easy attack vector. Publish an npm package with this code and when people pull it into their project they will have opened up a backdoor.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: