undefined | Better HN

0 pointsSTRML10y ago0 comments

Unfortunately, it's not as simple as disabling `postinstall` hooks. In dev,, especially, the Node process likely runs as the same user as the one who publishes packages. There is nothing stopping the code from spawning `npm` and publishing a malicious project as soon as it is require()d. And of course, you're requiring it at some point, otherwise why would you install it?

A better fix to this issue is to require publishers to enter a two-factor token, to email them to confirm publishing, or the like.

Yeah, it makes everyone a bit uneasy with how much trust is involved in the ecosystem. Is there a better solution?

0 comments

andrewaylett10y ago

Rather than 2FA, Maven requiring a GPG signature provides that extra security for me. Neither are infallible -- malware could infect your system sufficiently to intercept your next legitimate authentication.

Also, disabling install hooks in NPM would make things really difficult for packages that rely on native code as they've traditionally been compiled on install. I consider that an anti-pattern, but it's one that's unlikely to be removed any time soon.

j / k navigate · click thread line to collapse

0 pointsSTRML10y ago0 comments

A better fix to this issue is to require publishers to enter a two-factor token, to email them to confirm publishing, or the like.

Yeah, it makes everyone a bit uneasy with how much trust is involved in the ecosystem. Is there a better solution?

0 comments

andrewaylett10y ago

j / k navigate · click thread line to collapse