The recent spate of supply-chain attacks in the JS ecosystem (and others, but NPM is by far the worst offender) has me reconsidering my approach to 3rd-party dependencies.
First of all, less is good. I probably don't always need that whole library, I just need a piece of it. Can I copy it into my project myself? Can I write what I need myself?
Second, auditing dependencies is important. Do I expect myself to read every line of code in every package I import? No. But I do expect myself to give each dependency, and especially each one that ships with the production build, more careful thought.
Replies (8)
Fuck JavaScript, all my homies hate JavaScript
There has been many strides in automated static analysis. Vulnerabilities and their patterns are detected and signaled. Depending on the severity, the workflow may be halted.
And I know of a team whoโs working on a specialized LLM detecting general patterns of vulnerability and not just the recognized CVE issues.
since I started using it about a month it has intensified...
The new job I'm starting in June will be in the supply chain security space! There's a lot of focus in that area now.
Always turn off pre- and post-install scripts; many of the attacks have taken advantage of the fact that most people leave those on by default.
And don't even get me started on how the "getting started" instructions for so many MCP servers and AI tools involve just yoinking a package straight from NPM and running it with `npx`.
the important thing is to have everything updated or leave things as they are
Id like to be on the other side of this consuming these tools :)
You will be running circles around those npm "hacks".
