undefined | Better HN

0 pointssegphault8y ago0 comments

689 packages is enormous surface area for a leftpad-like (or worse) failure. Given that nobody is auditing those packages and many of the people who maintain them aren't adhering to best security practices[1], I don't think taking nearly 700 dependencies that you are going to treat like a black box is a safe or responsible choice.

Xcode and the Android SDK each come from a single vendor who provides an integrated development stack and presumably vets the contents. Does anybody do that with these npm packages?

It seems like every time I run the du command in my node_modules folder, I find some crap that shouldn't be there. Earlier this year, I submitted a PR that reduced the size of the babel react preset install footprint by about a third, just by removing a totally unused dependency that nobody noticed. I don't think the contents of npm packages get nearly enough scrutiny and it scares the hell out of me.

[1] https://www.bleepingcomputer.com/news/security/52-percent-of...

0 comments

6 comments · 3 top-level

fatso838y ago· 2 in thread

Build tool. Not app code. How is security relevant here?

segphaultOP8y ago

And you don't care if a malicious party compromises the development machine on which it runs? I can think of a whole lot of really damaging things that somebody could do running arbitrary JavaScript code with user-level privileges on thousands of developer workstations.

With various CI setups and some server-side rendering configurations, there are potentially scenarios where build tooling actually do run in environments where there are higher risks, though it's not as applicable in this specific case.

etor8y ago

Not really about security, but I've seen some deps that even track their usage (aggressively). So, I totally agree with the "not having the same scrutiny" as other tooling methods.

liamfd8y ago· 1 in thread

Would you mind linking to your PR? Would love to take a look.

segphaultOP8y ago

It literally just removes a line from the package.json file of one of the sub-dependencies: https://github.com/babel/babel/pull/5484

It's crazy to me that a package that is downloaded from npm over 4 million times a month gets so little scrutiny that nobody but me noticed a 5MB dependency on all of lodash that wasn't even being used.

fineline8y ago

How are you using du to find things that shouldn't be in node_modules? Wouldn't you need to build up a dependency tree, based on your app's package.json and recursing into every module's peer dependencies?

j / k navigate · click thread line to collapse