upvote

points

by ezekg10 hours ago |
comments
upvoteby sophiabits10 hours ago|
next
[-]
I do not envy the position the npm team are in. They removed the ability to unpublish packages as a response to the left-pad incident[1] because it wasn't desirable for individual developers to break downstream dependencies by pulling their package maliciously.

Of course the side effect is that now it's much harder to pull packages for legitimate reasons :/

[1] https://en.wikipedia.org/wiki/Npm_left-pad_incident

reply
upvoteby antihero16 minutes ago|
parent|
next
[-]
I would prefer my builds to break than the ecosystem to be compromised.

That said, once unpublished the version should be permanently unavailable to prevent publishing over known good versions.

reply
upvoteby superfrank7 hours ago|
parent|
prev|
next
[-]
Maybe give publishers a way to quarantine versions with a warning that stops the install, but allows users can override if they choose to is the next step?

Give a publisher a way to tag a version as malicious and then in those hours between the exploit being noticed and the package being removed anyone who tries to install gets a message about that version being quarantined and asking whether they want to proceed.

It's not a perfect solution, but I think it's better than just waiting for NPM to take action without opening the door up to another left pad situation.

reply
upvoteby thayne7 hours ago|
parent|
prev|
next
[-]
I think cargo's yank is a good balance. It makes it difficult to pull the yanked version in as a dependency, but doesn't break existing usages, as long as the version is in the lockfile. And I think even then gives you a warning that you are using a yanked package.
reply
upvoteby zarzavat9 hours ago|
parent|
prev|
next
[-]
The obvious solution is that unpublish should be available within a time window after a new version is published and then unavailable after that.
reply
upvoteby beart9 hours ago|
parent|
[-]
There is a time window - https://docs.npmjs.com/policies/unpublish
reply
upvoteby zarzavat9 hours ago|
parent|
[-]
Yes but they didn't do it properly. They only allow unpublishing if there are no dependants, which means it can't be used to pull a package version for security reasons.

It should be that within the first X hours you can pull a version regardless of dependants, after that you should need approval.

reply
upvoteby ummonk9 hours ago|
parent|
prev|
[-]
I mean they brought that incident on themselves...
reply
upvoteby igregoryca10 hours ago|
prev|
next
[-]
The baffling part is why it takes hours for the npm security team to unpublish packages that contain malware, as attested by multiple independent sources? That should be able to happen in minutes.
reply
upvoteby linkregister9 hours ago|
parent|
next
[-]
It would take longer than minutes to validate the claims themselves.
reply
upvoteby consumer45110 hours ago|
parent|
prev|
[-]
Who vets the sources, and using what scheme?
reply
upvoteby tomjen37 hours ago|
parent|
[-]
If email matches owner of repo, pull now. If not verified, ban and restore later.
reply
upvoteby nabogh9 hours ago|
prev|
[-]
Some sort of middle ground should have been found where the unpublished package is still accessible as an archive or something. I'd much rather get my package broken than get hacked
reply