undefined | Better HN

0 pointstamimio1y ago0 comments

Not really, and it takes a few minutes because most of these packages (including npm) are small. You don’t have to read the WireGuard codebase because it’s reputable enough, but for obscure or unknown add-ons/package code, it’s on you to double-check, just like reading the ‘readme’.

0 comments

redserk1y ago

So just sneak the code in a dependency of a dependency.

Who’s diving 3-4 layers deep into dependencies?

netule1y ago

No need to hide it inside dependencies, just modify the code before building and pushing the package to PyPi.

froggertoaster1y ago

You can't "not really" this away. Most people don't bother looking at small package code, much less code for packages that are far more complex.

bdlowery1y ago

I haven’t looked at the source code of a single npm package I’ve installed in the past 5 years.

“It takes a few minutes”

Dude my web dev projects have like 1,000s of dependencies. I’m not going to check the source code of every package tailwind requires.

fbdab1031y ago

Even if you did review it, a motivated attacker is not going to have an exfiltrate_user_data(). The xz backdoor exploit was incredibly sophisticated, and one key of the design was sneaking a "." into a single line of a build test script.

A cursory audit of primary dependencies has almost zero chance of catching anything but a brazen exploit.

redserk1y ago

Yeah. Realistically I think the best course of action is just assume you’re already using a library that can exfiltrate data.

This requires allowlisting egress traffic and possibly even architecting things to prevent any one library from seeing too many things. This approach can be a big pain though and could be difficult to implement practically.

gotbeans1y ago

Imo this makes no sense. There's zero chance you will start inspecting all dependencies even in a relatively small application, which now a days could pull already a large number of deps.

I don't see how doing any of this manually will help.

akira25011y ago

This is why I refuse to use almost anything on npm. If you have a zero dependency project I'll consider it. If you have a dependency that also has a set of dependencies then I will never use your code.

genter1y ago

Would you have caught the XZ backdoor?

j / k navigate · click thread line to collapse

0 comments

redserk1y ago

So just sneak the code in a dependency of a dependency.

Who’s diving 3-4 layers deep into dependencies?

netule1y ago

No need to hide it inside dependencies, just modify the code before building and pushing the package to PyPi.

froggertoaster1y ago

You can't "not really" this away. Most people don't bother looking at small package code, much less code for packages that are far more complex.

bdlowery1y ago

I haven’t looked at the source code of a single npm package I’ve installed in the past 5 years.

“It takes a few minutes”

Dude my web dev projects have like 1,000s of dependencies. I’m not going to check the source code of every package tailwind requires.

fbdab1031y ago

A cursory audit of primary dependencies has almost zero chance of catching anything but a brazen exploit.

redserk1y ago

Yeah. Realistically I think the best course of action is just assume you’re already using a library that can exfiltrate data.

gotbeans1y ago

Imo this makes no sense. There's zero chance you will start inspecting all dependencies even in a relatively small application, which now a days could pull already a large number of deps.

I don't see how doing any of this manually will help.

akira25011y ago

genter1y ago

Would you have caught the XZ backdoor?

j / k navigate · click thread line to collapse