This is mostly personal opinion, but I think we should be very wary of anything which has an expectation of privacy or security, which relies on the npm ecosystem.
It's deceptive in that it "seems" to be open source, but there's no guarantee that the code on github matches npm, or that the minified code matches the pretty code, and even if you trust the developer, three steps up the dependency chain, you may not. We've already seen compromised packages used even by the likes of Microsoft. That open source module in question had 2 MILLION downloads a week. We're just lucky really that it was only targeting specific bitcoin wallets, but with security, luck isn't enough. The infected version of this module was used by 8 million developers for 2 months before it was found, and even that was mostly by chance.
This acticle explains a theoretical npm attack, similar to ones carried out since that was written.
I think either there are attacks like this occurring, or it's just a matter of time.
These same concerns exist for most open source software, but it's less significant. Just because the code can be reviewed, doesn't mean it is. And obfuscated code can be very, very crafty! I spend my work days reading code looking for my on bugs, I don't want to spend my free time doing the same (nor is there time to review the code of everything I use). I suspect the number of people actually reviewing code is very low—most open source code is only ever understood by those who wrote it. Now I still prefer it to closed source, but I feel too many people see "open source" and think it's 100% ok. It isn't. It's just a good sign. But for NodeJS projects, I would personally rather a well developed closed source project, to something relying on god-knows how many npm packages. It's just an insane model which I don't understand how so many people think it's great. It's only a matter of time before there are some very large breaches because of npm, if they haven't already quietly happened.
tl;dr: I don't trust npm or anything which uses it.
No comments:
Post a Comment