npm still defaults to publish rights across your entire account, which is kind of insane. Not scoped per package, not read-only. Just full access.
Leak a CI token and that's it, everything you've published is up for grabs. They added granular tokens but almost nobody seems to use them. Outside of a few big projects it's basically ignored.
Imagine if they removed publish API tokens entirely and required WebAuthn instead like one should for a task such as publishing software, preferably with a hardware key. Now that would be security.
Plenty of language communities want to avoid various mistakes (or at least, perceived mistakes, some people consider these features even if Java has retroactively moved away from them) that the Java ecosystem made over the years - verbosity/ceremony^(1), repeating yourself with types everywhere^(2), calling everything a bean, that weird XML phase it went through in high school, generic type erasure, Spring and it's massive runtime DI complexity^(3), and of course design patterns to mitigate language shortcomings, etc. etc.
But they all really screwed the pooch by not following Java's dependency management approach:
(With the caveat that NPM and PyPi (probably more, I'm just commenting on what I know) are belatedly catching up on some of these)
You can't get your malicious package installed by typosquatting or relying on package naming to cause confusion, because every package has two identifiers - a group id that is a DNS name you have to prove you control, e.g., com.google.guava, then a package name - you can publish your gauva package or guava2, but no-one is going to install it by mistake unless you happen to control Google domains. ^(4)
There are strict requirements - you must publish source code, docs, repo (even if it's internal) etc. You must include file checksums.
The package repository automatically scans all packages submitted for publication for evidence of malicious code, and either automatically rejects or flags suspicious packages for further human review
It also analyzes the overall security of your FOSS project (although many of the checks are GH specific currently) and publishes a security score card can be utilized alongside CVE/CWE etc. via a build plugin to reject packages in a build that aren't sufficiently safe.
It's still not 100% secure obviously, if a compromised project isn't using a passphrase for their signing key that is isolated from the build process, or an attacker manages to compromise the passphrase, through, say a developer downloading a fucking Roblox cheat, there's still a risk surface.
But all of the above makes the JVM dependency supply chain a far more hardened attack surface.
Please language maintainers, steal one of the best ideas the Java ecosystem had.
^(1: Java 24 now lets you define an entrypoint as a top level void main() {} not the infamous SomeClass { public static void main(String[] args) {} } that made CS 101 harder than it needed to be)
^(2: Now less of an issue with var and the diamond operator)
^(3: I'm a big fan of compile time DI like Micronaut or Quarkus do - no more loading a massive Spring context to run into tests - but then you could always avoid that if you didn't use field based injection anyway, constructor injection is the only way)
^(4: For people worried the this makes it hard to publish FOSS, there's an escape hatch for people using GH, GitLab etc. https://central.sonatype.org/publish/requirements/coordinates/#supported-code-hosting-services-for-personal-groupid)
I'd go even further than op's article. Dependency management not only requires hash based attestation of dependencies and source builds, they also need a full identity system for developers, builders, and runners if we want to obtain security and move past this stone age of supply chain attack vulnerable package management.
the runner image gap is the one nobody talks about. you can pin every action by sha and still be downstream of an unpinned ubuntu-latest that gets rolled whenever github feels like it. provenance attestations look airtight in the github UI but the actual trust root is "whatever vm github booted that day".
also the lockfile-hashes-cover-artifacts-not-sources point is exactly why postinstall scripts are still the easy attack surface. clean hash on a tarball whose preinstall reaches out to a curl-piped-to-bash, and the lockfile says "all good".
Honestly, the "reproducible" label on npm is a joke. I've wasted way too many hours trying to match a build to a git tag only to find some weird postinstall script changed everything. We're just installing black boxes and hoping for the best tbh.
User_Deprecated@reddit
npm still defaults to publish rights across your entire account, which is kind of insane. Not scoped per package, not read-only. Just full access.
Leak a CI token and that's it, everything you've published is up for grabs. They added granular tokens but almost nobody seems to use them. Outside of a few big projects it's basically ignored.
m0j0m0j@reddit
SoilMassive6850@reddit
Imagine if they removed publish API tokens entirely and required WebAuthn instead like one should for a task such as publishing software, preferably with a hardware key. Now that would be security.
User_Deprecated@reddit
Probably fixes the leak side of things. CI might be a pain though, our pipeline just auto-publishes on tag push.
BroBroMate@reddit
Once more onto my regular soapbox.
Plenty of language communities want to avoid various mistakes (or at least, perceived mistakes, some people consider these features even if Java has retroactively moved away from them) that the Java ecosystem made over the years - verbosity/ceremony^(1), repeating yourself with types everywhere^(2), calling everything a bean, that weird XML phase it went through in high school, generic type erasure, Spring and it's massive runtime DI complexity^(3), and of course design patterns to mitigate language shortcomings, etc. etc.
But they all really screwed the pooch by not following Java's dependency management approach:
(With the caveat that NPM and PyPi (probably more, I'm just commenting on what I know) are belatedly catching up on some of these)
com.google.guava, then a package name - you can publish yourgauvapackage orguava2, but no-one is going to install it by mistake unless you happen to control Google domains. ^(4)It's still not 100% secure obviously, if a compromised project isn't using a passphrase for their signing key that is isolated from the build process, or an attacker manages to compromise the passphrase, through, say a developer downloading a fucking Roblox cheat, there's still a risk surface.
But all of the above makes the JVM dependency supply chain a far more hardened attack surface.
Please language maintainers, steal one of the best ideas the Java ecosystem had.
^(1: Java 24 now lets you define an entrypoint as a top level
void main() {}not the infamousSomeClass { public static void main(String[] args) {} }that made CS 101 harder than it needed to be) ^(2: Now less of an issue withvarand the diamond operator) ^(3: I'm a big fan of compile time DI like Micronaut or Quarkus do - no more loading a massive Spring context to run into tests - but then you could always avoid that if you didn't use field based injection anyway, constructor injection is the only way) ^(4: For people worried the this makes it hard to publish FOSS, there's an escape hatch for people using GH, GitLab etc. https://central.sonatype.org/publish/requirements/coordinates/#supported-code-hosting-services-for-personal-groupid)daidoji70@reddit
I'd go even further than op's article. Dependency management not only requires hash based attestation of dependencies and source builds, they also need a full identity system for developers, builders, and runners if we want to obtain security and move past this stone age of supply chain attack vulnerable package management.
Complex_Computer2966@reddit
the runner image gap is the one nobody talks about. you can pin every action by sha and still be downstream of an unpinned ubuntu-latest that gets rolled whenever github feels like it. provenance attestations look airtight in the github UI but the actual trust root is "whatever vm github booted that day". also the lockfile-hashes-cover-artifacts-not-sources point is exactly why postinstall scripts are still the easy attack surface. clean hash on a tarball whose preinstall reaches out to a curl-piped-to-bash, and the lockfile says "all good".
programming-ModTeam@reddit
No content written mostly by an LLM. If you don't want to write it, we don't want to read it.
Straight-Band1208@reddit
Honestly, the "reproducible" label on npm is a joke. I've wasted way too many hours trying to match a build to a git tag only to find some weird postinstall script changed everything. We're just installing black boxes and hoping for the best tbh.