Imho the most recent security issue is not a problem with the npm client itself but rather the network of trust we have in our ecosystem.
Switching package managers will not solve this issue, and removing package managers all together is completely untenable.
This attack could have happened in other ecosystems as well, perhaps not the exact same way... But it would be possible.
I'd like to see the @nodejs/security-wg talk about ways that individuals and the ecosystem can create a more secure system, but that isn't what is being talked about in this thread.
I think we should close this issue, as shipping node without a package managers is not tennable and would not stop people from using the ecosystem of modules available.
Considering you just opened another issue which was closed I'd like to encourage you to step back from the keyboard and let this one boil over. There will be no quick fix to this.
Maybe a better title is "Node should stop bundling NPM in its current state" and demand more rigor from npm maintainers rather than making it easy to circulate malicious code by distributing npm as it stands. If you examine the issue that spawned this, you'll see how many people have linked to it in other repos discussing how to work around it - they don't just sit back and say 'wrong repo, not my problem'
I think these are important problems to deal with and I think lots of smart people (including the folks at npm) are working really hard on it.
Sorry for closing, on mobile and misclicked. Moving to desktop to properly respond
All I want is to start the discussion - and for someone to finally wake up and get to work on fixing NPM for the benefit of everyone. - @thecodingdude
We really really really care about people running Node.js in a secure and reliable way. We also want to make sure we have a healthy ecosystem.
We run a security program bug bounty program. We manage our own CNA. We collaborate with upstream dependencies on releases (e.g. openssl). We do strict security releases to patch 0-days with quite a bit of effort put in to making sure we don't leak embargoed vulnerabilities in advance.
Ironically a bunch of the team were heads down on an unrelated security release today
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
The Security-WG does a bunch of different stuff to help improve the ecosystem including an ecosystem wide bug bounty program, a public vulnerability feed, and a bunch of forward thinking initiatives such as fuzzing core
This is a new project that recently spun up specifically to discuss of helping with maintenance of key packages in the ecosystem.
This is the real problem. I'm not trying to paint with super broad strokes, but systems are inherently vulnerable and people will find ways to be clever. That doesn't mean that we shouldn't minimize the attack vectors, but we can't just throw these systems away because of their flaws.
Removing npm would not solve _anything_ imho. People will still find a package-manager from somewhere (now a new vector for a gross MITM), the will still install modules, and those modules will continue to use the package.json to install and CJS resolution algorithm to load. Removing npm doesn't make this problem go away.
The npm
ecosystem is for the most part, imho, why Node.js is so successful. We can't just turn it off.
To be very clear. I think this issue should be closed and after this comment I will not be responding.
@thecodingdude I want to believe that you are coming from a good place in opening these issues, but the way you have chosen to engage does not immediately come across as good faith to me. I'd like to suggest you step back and think of more constructive ways to get involved, I've pointed some of them out above.
I think this issue should be closed
I agree and I'll be the one to do just that.
Going to lock this as there's seeming consensus that this is not the correct repo/location for this discussion and the issue has been closed by the original author.
@thecodingdude we appreciate you opening this issue and the effort you put into framing this effectively. If you'd like to continue this discussion, I would advise following the advice from Myles – we have several initiatives and working groups that this could definitely fall under, which Myles outlined very concisely. Contributions welcome! 🤗
Most helpful comment
Imho the most recent security issue is not a problem with the npm client itself but rather the network of trust we have in our ecosystem.
Switching package managers will not solve this issue, and removing package managers all together is completely untenable.
This attack could have happened in other ecosystems as well, perhaps not the exact same way... But it would be possible.
I'd like to see the @nodejs/security-wg talk about ways that individuals and the ecosystem can create a more secure system, but that isn't what is being talked about in this thread.
I think we should close this issue, as shipping node without a package managers is not tennable and would not stop people from using the ecosystem of modules available.
Considering you just opened another issue which was closed I'd like to encourage you to step back from the keyboard and let this one boil over. There will be no quick fix to this.