Semver range specifiers ~^
are not only used in a top-level package.json. They're also used by dependencies. It's not feasible to get everyone to stop using them and it wouldn't be good for the ecosystem and even security. If a dependency 5 levels deep gets a security fix, how do you update all along the way? It's a problem already, even though ^ is fairly popular.
Lockfiles solve the issue of a nested dependency getting updated accidentally. package-lock.json or yarn.lock, if used right, eliminate the probability of unexpected nested package updates in CI etc.
"Vendoring" - pushing node_modules into the repository - is not practical and doesn't offer benefits compared to fully leveraging lockfiles.
Even if "vendored", updating is a must and at any significant size of the dependency tree reviewing every single package coming down is not humanely possible.
Now finding a package and taking it over is one threat, but what about a maintainer of a useful package who intentionally publishes a malicious version to get rich quicker than otherwise just making opensource?
What about a prototype pollution in one package leading to a compromise of another package? What about the most popular way of delivering attacks - a postinstall script? The script would run before you get the chance to review the contents of the package. (That can be mitigated by socket.dev decently)
That's why instead of attempting the impossibility of reviewing all packages in your dependency tree I'd suggest preventing the outcomes of a malicious package eventually reaching your dependencies.
Enter: LavaMoat.
https://github.com/LavaMoat/LavaMoat
LavaMoat has tools for preventing unexpected postinstall scripts from running. (allow-scripts)
LavaMoat has tools to put each package in its own compartment and only allow it to access globals, builtins and other packages based on a policy. At runtime!
If a package attempts to require('fs')
or call fetch()
in a new version, it's not going to work if it wasn't there previously.
Enough reading?
Here's a conversation about supply chain and install scripts
https://www.youtube.com/watch?v=STC_ubJNiMs
Here's an intro to lavamoat
https://www.youtube.com/watch?v=iaqe6F4S2tA
Top comments (0)