295 private links
Another supply-chain attack.
According to new reports by Aikido and Socket, the compromised packages were modified to include a malicious 'preinstall' script that executes automatically when the npm package is installed.
That's why it's pertinent that https://npmx.dev lists these postinstall scripts
In contrast to the frozen NPM package pages, npmx delivers some improvments:
- Transitive install size (similar to bundlephobia or packagephobia)
- Install script disclosure: any preinstall, install or postinstall script is rendered on the package page along with the
npx - outdated and vulnerable dependency trees
- version range resolution
- module replacement suggestions for features that become built-in ECMAScript. The dataset comes from https://github.com/es-tooling/module-replacements
- module format and types badges: ESM, CJS, both. Typescript types, node engine range
- Multi-forge repository stats instead of GitHub only
- cross-registry availability: npm, JSR
- side-by-side package comparison
- version diffing between two versions of the same package
- release timeline with size annotations: Every version of a package is plotted on a timeline with markers where install size jumped by a meaningful percentage
- download distribution by version (avoid download breaks with major versions)
- command palette
- i18n
- accessibility as default
- agent skill detection
- social features on AT Protocol
- Local-CLI admin connecter
- dark mode and custom palettes
An alternative to the frozen NPM which delivers more useful informations per package
NPM packages are attacked again. The first infected package is go-template then hundreds. The most major ones are Zapier, ENS, AsyncAPI, PostHog, Browserbase, and Postman.'
Other source: https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
Cet article suit la nouvelle de thehackernews.com https://shaarli.lyokolux.space/shaare/KY-ycA
My honest assessment is that the Rust / Cargo leadership need to be bold, deprecate packages publishing to crates.io and move to a decentralized package distribution architecture.
There is no other way around. Rust needs to copy Go, it's as simple as that.
The second part of the solution, way harder and more expensive to implement is to release an extended standard library. We need to reduce the amount of third-party developers that we need to trust to release our software.
A workaround from now is to import rust crates from git itself, such as ring = { git = "https://github.com/briansmith/ring", version = "0.12" }
An alternative to NPM. It looks interesting because it does more than NPM for authors.
Compared to NPM, JSR has native typescript support, ESM Syntax, and some better contraints for interoperability.
More on https://jsr.io/docs/why
A wrapper that throws warnings about security risks
A package.json can be provided in order to scan dependencies. It searches for risks.
Checks how vulnerable is a package.
It provides informations to asses if a package is safe enough for the use case.
The tool provides analysis for each line of code too.
Find unused dependencies: npx depcheck
Or install the package and run the command.
There is also npm-check that checks for outdated, incorrect, and unused dependencies.
Example of usage of degit with a postinstall hook:
{
"scripts": {
"build": "eleventy",
"postinstall": "degit tryGhost/Ghost/core/frontend/src/cards/css node_modules/ghost-cards"
},
"dependencies": {
"@11ty/eleventy": "^1.0.0",
"degit": "^2.8.4"
}
}TL;DR
A timestamp is used to - Some zip programs does not work well with the Unix Epoch and Docker abuse of the zip files. So NPM fixed it by changing the default of mtime and ctime.
They use a specific timestamp: https://github.com/npm/cli/commit/58d2aa58d5f9c4db49f57a5f33952b3106778669