Node: deleted

Created on 27 Nov 2018  Â·  8Comments  Â·  Source: nodejs/node

npm wontfix

Most helpful comment

Imho the most recent security issue is not a problem with the npm client itself but rather the network of trust we have in our ecosystem.

Switching package managers will not solve this issue, and removing package managers all together is completely untenable.

This attack could have happened in other ecosystems as well, perhaps not the exact same way... But it would be possible.

I'd like to see the @nodejs/security-wg talk about ways that individuals and the ecosystem can create a more secure system, but that isn't what is being talked about in this thread.

I think we should close this issue, as shipping node without a package managers is not tennable and would not stop people from using the ecosystem of modules available.

Considering you just opened another issue which was closed I'd like to encourage you to step back from the keyboard and let this one boil over. There will be no quick fix to this.

All 8 comments

Imho the most recent security issue is not a problem with the npm client itself but rather the network of trust we have in our ecosystem.

Switching package managers will not solve this issue, and removing package managers all together is completely untenable.

This attack could have happened in other ecosystems as well, perhaps not the exact same way... But it would be possible.

I'd like to see the @nodejs/security-wg talk about ways that individuals and the ecosystem can create a more secure system, but that isn't what is being talked about in this thread.

I think we should close this issue, as shipping node without a package managers is not tennable and would not stop people from using the ecosystem of modules available.

Considering you just opened another issue which was closed I'd like to encourage you to step back from the keyboard and let this one boil over. There will be no quick fix to this.

Maybe a better title is "Node should stop bundling NPM in its current state" and demand more rigor from npm maintainers rather than making it easy to circulate malicious code by distributing npm as it stands. If you examine the issue that spawned this, you'll see how many people have linked to it in other repos discussing how to work around it - they don't just sit back and say 'wrong repo, not my problem'

I think these are important problems to deal with and I think lots of smart people (including the folks at npm) are working really hard on it.

Sorry for closing, on mobile and misclicked. Moving to desktop to properly respond

The Node.js project cares about security

All I want is to start the discussion - and for someone to finally wake up and get to work on fixing NPM for the benefit of everyone. - @thecodingdude

We really really really care about people running Node.js in a secure and reliable way. We also want to make sure we have a healthy ecosystem.

We have a bounty program

https://hackerone.com/nodejs

We run a security program bug bounty program. We manage our own CNA. We collaborate with upstream dependencies on releases (e.g. openssl). We do strict security releases to patch 0-days with quite a bit of effort put in to making sure we don't leak embargoed vulnerabilities in advance.

Ironically a bunch of the team were heads down on an unrelated security release today

https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

The Security-WG

https://github.com/nodejs/security-wg

The Security-WG does a bunch of different stuff to help improve the ecosystem including an ecosystem wide bug bounty program, a public vulnerability feed, and a bunch of forward thinking initiatives such as fuzzing core

The Package Maintenance Group

https://github.com/nodejs/package-maintenance

This is a new project that recently spun up specifically to discuss of helping with maintenance of key packages in the ecosystem.

Computers are bad

This is the real problem. I'm not trying to paint with super broad strokes, but systems are inherently vulnerable and people will find ways to be clever. That doesn't mean that we shouldn't minimize the attack vectors, but we can't just throw these systems away because of their flaws.

Removing npm would not solve _anything_ imho. People will still find a package-manager from somewhere (now a new vector for a gross MITM), the will still install modules, and those modules will continue to use the package.json to install and CJS resolution algorithm to load. Removing npm doesn't make this problem go away.

The npm ecosystem is for the most part, imho, why Node.js is so successful. We can't just turn it off.

To be very clear. I think this issue should be closed and after this comment I will not be responding.

@thecodingdude I want to believe that you are coming from a good place in opening these issues, but the way you have chosen to engage does not immediately come across as good faith to me. I'd like to suggest you step back and think of more constructive ways to get involved, I've pointed some of them out above.

I think this issue should be closed

I agree and I'll be the one to do just that.

Going to lock this as there's seeming consensus that this is not the correct repo/location for this discussion and the issue has been closed by the original author.

@thecodingdude we appreciate you opening this issue and the effort you put into framing this effectively. If you'd like to continue this discussion, I would advise following the advice from Myles – we have several initiatives and working groups that this could definitely fall under, which Myles outlined very concisely. Contributions welcome! 🤗

Was this page helpful?
0 / 5 - 0 ratings