SAN FRANCISCO, CA - In the wake of a devastating supply chain attack in the npm registry that left millions of enterprise applications compromised and billions of user records exposed, developers across the JavaScript ecosystem expressed deep sorrow today, lamenting that such a crisis was completely unavoidable.
“It’s a shame, but what can you do? This is just the price of building modern web apps,” said Senior Frontend Engineer Mark Vance, echoing the sentiments of a community that completely relies on a 40-level-deep nested tree of unvetted packages maintained by pseudonymous strangers to capitalize a single string. “There’s absolutely no way to foresee or prevent someone from taking over a long-abandoned utility package and injecting a crypto-miner into every production build in the world. It’s just an act of nature.”
Pebcak.
I write this as someone who fully hates npm and javascript, but it’s not even a package manager issue. The issue is that someone gets hacked and their credentials get stolen. This could happen to any ecosystem, it’s just more likely to be beneficial if you target JS because of ubiquity.
People would need to develop entirely new credential management protocols to circumvent this and they’d probably be risky to automate to the same degree of convenience that we have now so, unless you’re looking to spin up containers for each and every step of development or, god forbid, write/vendor your dependencies it’s actually not easy at all to prevent this sort of thing.