Sheogorath 🦊 是一個在 g0v.social 的使用者。只要您有任何 Mastodon 服務站、或者聯盟網站的帳號,便可以跨站關注此站使用者,或者與他們互動。 如果您沒有這些帳號,歡迎在這裡註冊。

I was lucky:

yarn list|grep eslint-scope
│ ├─ eslint-scope@~3.7.1
├─ eslint-scope@3.7.1
│ ├─ eslint-scope@^3.7.1

the malicious version is 3.7.2

damn #nodejs and #npm. people should really start to consider if they want to do *anything* in node since it poses a constant security risk.

@steckerhalter
The problem isn't really NodeJS this can happen to Java, Go, Rust, … and many other languages as well.

The problem is verifying your dependencies. Maybe we should start to sign node packages, but remember what mess this would cause since you sometimes load more than a thousand different packages from more than hundred different vendors which would need you to verify more than one hundred keys when you just want to install a single piece of software.

@sheogorath it can happen in other ecosystems as well but it's a lot less likely. #npm is full of idiots who do not even follow basic security guidelines. I think until they find some way to fix this it's better not to rely on #nodejs. #mastodon also uses webpack which has a dependency on the mentioned malicious eslint package. it's just luck that mastodon now is not fully compromised by the attackers.

Sheogorath 🦊 @sheogorath

@steckerhalter
Npm put the concept of component based development at its core.

This is a valid thing but people don't consider the implications. In Component-driven development you have to trust your component vendors. I know this is something some people hate, but welcome to how the world works.

The problem in the node ecosystem is that trust is cheap to get and there are often no big vendors for tons of components