Sign in / up

back to article Not Particularly Mortifying: IEEE eggheads probe npm registry, say JavaScript libs not as insecure as feared

For the past few years, the security of JavaScript software packages available through the Node Package Manager, or npm, has been the subject of skepticism as a result of blunders, brouhahas, and tepid countermeasures. But several computer scientists affiliated with the IEEE say that npm packages aren't really as risky as has …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. ovation1357

    Phew! We're safe then!

    I recently had to try and package up the latest CLI for 'Box' cloud storage so it could be deployed into a secure environment with restricted internet access.

    Although it's maybe an impressive feature of npm that it warns you about security bugs, after it had pulled in well over 200mb of JavaScript files in the form of well over a thousand dependencies, it warned me that the current package was vulnerable to something like 800 known CVEs! (I forget the exact number - maybe it was 300 and I'm exaggerating but 300 or 800: the point still stands that this is utterly insane).

    There was an auto fix option which got part way through, borked the package, bombed out with a stack trace (if I recall correctly) and ultimately decided that the bugs could be automatically reduced to under 100 but to go further would require upgrading various dependencies through potential breaking changes. Sure, some responsibility has to fall of the vendor of the CLI code in question, but this problem is endemic in the general approach to software using such tools.

    I had to stick with it in its native form, warts and all. I was not at all happy about letting that near a secure environment but with some damage limitation measures it seems to be workin, at least.

    It's not just nodeJS though. Certainly it gets its fair share, but so many other languages are encouraging this super-convenient (when it actually works) but highly risky approach of automatically downloading vast numbers of interdependent libraries from a similarly vast number of sources.

    For me the very worst part of all of them is the fact that they all assume you have an internet connection and make it anywhere from difficult to impossible to build using simple local mirrors or to package up a complete set of everything needed to reliably run the application fully offline.

    People look at me like I'm mad when I suggest using a minimal set of carefully vetted external libraries whilst maximising the use of built in features of the chosen language and avoiding automated dependency resolvers like the plague... It certainly takes a bit more effort but you then end up with, let's say, a command line interface to a rest service which might be just a few megabytes in size instead of nearly 300mb, with only one or two external libraries if any at all - simple enough to audit, limited in function to pretty much only what it was designed for (How many times do Devs call in massive library X to use one single function out of hundreds!?), will run anywhere it's installed and is generally easy to debug.

    I'm not saying we should start reinventing the wheel every time, and it's clearly safer to use tried and tested code for things like encryption. But I am saying there's a balance between writing some bespoke code which happens to duplicate some functionality of a massive external library, and downloading half the ecosystem of your chosen language just parse a config file or open a damn socket. In my opinion npm and the likes go waaaay too far off the scale.

    22 0 Reply
    1. Glen 1
      Reply Icon

      Re: Phew! We're safe then!

      See also: Flatpak and Snap

      6 1 Reply
      1. ovation1357
        Reply Icon

        Re: Phew! We're safe then!

        Yeah.... Snap ಠ_ಠ

        I spent a bit of time trying to remove it from my Ubuntu laptop and failed. Chiefly I was trying to get the Debian packages for chromium browser to install before nuking snap but that didn't work.

        Funny story - I was genuinely interested in Snap and went along to a free technical session at Canonical's London office - due to some problem with the booking system (or people just being disingenuous arseholes) I was the only person who showed up so I got a really neat 1 to 1 session with one of the creators of snap. It was a fun evening and I found snap to be fairly elegant and well designed, except; like many others I'm not sold on the exclusive binding to Canonical's app store for publishing snaps (any the masses of loopback mounts is really irritating too). If they could just open it up a bit more to allow 3rd party (and local offline) app stores, plus not forcing it down our throats by default then it just might see some wider acceptance.

        All that said it does, of course, take us back to the old days of something akin to static linking and fat packages that we've all spent so many years trying to get away from.

        2 0 Reply
        1. Doctor Syntax Silver badge
          Reply Icon

          Re: Phew! We're safe then!

          "static linking and fat packages"

          Maybe it's worth while to start looking a bit more sympathetically at those. The trade-offs between the financial costs of on-disk storage and memory use vs security might have changed in the last few years.

          1 1 Reply
      2. Doctor Syntax Silver badge
        Reply Icon

        Re: Phew! We're safe then!

        Add AppImage.

        0 0 Reply
    2. MrBanana
      Reply Icon
      Pint

      Re: Phew! We're safe then!

      Stop it. That's way more sensible than any post should be on a Saturday morning. I know it's not just for breakfast, but have a beer anyway.

      6 0 Reply
      1. ovation1357
        Reply Icon
        Pint

        Re: Phew! We're safe then!

        <clink> Cheers!

        (Although my beer has morphed into a McDonald's Toffee Latte)

        1 0 Reply
  2. Doctor Syntax Silver badge

    Not even one in ten

    I'm not sure whether this counts as damning with faint praise or praising with faint damns.

    4 0 Reply
    1. DCFusor
      Reply Icon

      Re: Not even one in ten

      You'll be fine. Most of the bullets shot at you will miss - that's what they're saying.

      Someone appears to think it takes a majority to do the damage.

      1 0 Reply
  3. Robert Grant

    To be clear: this study is only on already-detected vulnerabilities. They've no idea of the total number of vulnerabilities.

    7 0 Reply
  4. Richard 12 Silver badge

    So how exactly does one check?

    Upgrading a library surely means doing an audit of the changes, and it seems that it is a deep tree of dependencies, often with hundreds of referenced packages.

    The reason these cryptocurrency miners and other worse things appear in real applications is because devs aren't able to properly audit updates.

    So what is the IEEE really suggesting? That devs should just update without any audits?

    3 0 Reply
    1. sabroni Silver badge
      Reply Icon

      Re: So how exactly does one check?

      npm automatically checks dependent libraries for known vulnerabilities when it's installing. If it finds vulnerable packages it prompts you to examine them (with "npm audit") and suggests you try fixing them (with "npm audit fix").

      The problem isn't that it's difficult to check for vulnerabilities, it's that it's easier not to.

      0 1 Reply
  5. Elledan
    IT Angle

    Chain of trust

    When writing code for a business environment or anywhere else where reliability matters, it's good to keep the chain of trust as short as possible. Every library, every build system, every dependency and 'convenient' script that you add is another chain that risks being compromised, broken or suddenly unavailable for whatever reason.

    While involved in the development and maintenance of a big manufacturer's infotainment system, I found myself in a mixed NPM and native (C, C++) environment. With my direct responsibility being with the native side, I endeavored to keep said chain of trust there as short as possible. All used code in the mixed C & C++ project was integrated into the source tree (including chunks of *urgh* Boost) with vetting and full removal of the existing build system so that the number of 'unknowns' in the build process got reduced as much as possible.

    In addition to being able to carry the entire project around on a USB stick to compile it on an air-gapped system if need be, it also made the subsequent security audit of my code and the rest of that in the infotainment system a snap. For my code at least. Having gone through the code repeatedly with a fine-toothed comb and knowing my way around it, the only issues the audit found were in the bits of the legacy C code which I was gifted by my predecessors, as well as in some external library code. Nothing serious was found, however, as I had run over the entire codebase with Valgrind and other tools.

    The thought of doing something similar for a project where 90% or so of the codebase is whatever the heck is floating around in the NPM storage pile at that point in time gives me nightmares. It's not just the JavaScript snippets in NPM, but also the countless native modules, that want to be compiled and run on production systems.

    Oh, but NPM is what is used for those infotainment systems nowadays. I hope that whoever are working on those systems today are having a blast with the fall-out from security audits :)

    4 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like