Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Attack Discovered On Node.js Package Manager npm (softpedia.com)

Posted by timothy on from the found-by-the-good-guys dept.

An anonymous reader writes: A Google researcher has discovered a way in which he could exploit some npm registry design flaws to propagate a malicious package to other packages, and in the projects that load them. The exploit leverages things such as npm's persistent authentication, developers who never lock down dependencies (and often use version number ranges), npm lifecycle scripts that run with the user's privileges (sometimes as root), and npm's centralized registry, which doesn't review or scan code. Attackers can compromise other projects with malicious code, can compromise Node apps used in corporate environments, or they can launch worm-like viruses that poison npm packages at random.

90 comments

  1. What about Ruby's gem? by Anonymous Coward · · Score: 0

    Isn't this scenario applicable there as well?

  2. time to spread? by Anonymous Coward · · Score: 1

    How much would it take to spread? If something like this gets added to Express or an Express dependency, I would imagine it would contaminate tens of thousands of products in one day.

    1. Re:time to spread? by phantomfive · · Score: 1

      If it got into something like a 'pad-left' then it would spread really quickly.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:time to spread? by slashdice · · Score: 2

      Remember those ads from the 80s and 90s about how sleeping with one person is like sleeping with all the people they slept with? Node and NPM are like that, if you slept with Charlie Sheen. It's like everybody is having a contest to see how many dependencies they can require. Who knew it takes 3 dependencies to figure out if a number is positive?

      --
      Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
  3. Why would anyone use JavaScript?! by Anonymous Coward · · Score: 2, Funny

    I can sort of understand using JavaScript in the browser. After all, it's the only option. But server-side?! There is no such restriction!

    Why the heck would anyone choose to use such an awful, crippled language when they have numerous superior options?!

    It baffles my mind how somebody would go out of their way to use such an awful language when there are so many better options available.

    I'm not one to pre-judge. I tried out JavaScript, Node.js and npm for myself. I couldn't believe just how awful they were! Everything about them feels like a regression compared to their competitors.

    1. Re:Why would anyone use JavaScript?! by Anonymous Coward · · Score: 3, Informative

      Because cheap code monkeys cannot write real code.

    2. Re:Why would anyone use JavaScript?! by i.r.id10t · · Score: 5, Insightful

      Aside from that, why are libraries pulled in dynamically from the intertoobs on a production server? Why aren't the libraries packaged like Perl CPAN stuff, or PHP PEAR stuff, to be downloaded (and signature verified?) to the server or dev machine and accessed only locally? Heck a tar.gz file with a posted list of hash sums would be more secure. This is all old hat stuff that has been solved in multiple ways, no reason at all for it to be an issue now.

      --
      Don't blame me, I voted for Kodos
    3. Re:Why would anyone use JavaScript?! by Anonymous Coward · · Score: 0

      Because the hipsters and their TPTB overlords want it that way.

      You underestimate the power of the hipsters.

    4. Re:Why would anyone use JavaScript?! by Anonymous Coward · · Score: 0

      I have notice a trend in the younger generation of developers: I know how to use a hammer, therefore everything is a nail.

    5. Re:Why would anyone use JavaScript?! by Anonymous Coward · · Score: 3, Interesting

      Said otherwise:

      Because the new generation wants fully-automatic updates, without a care for security at all. They won't even pay someone else to do it manually regularly.

      Plus it's great for targeted infection of people deemed dangerous to the "rich and powerful", without having to mess with the network.

    6. Re:Why would anyone use JavaScript?! by Anonymous Coward · · Score: 1

      When your only too is a javascript interpreter, every problem looks like the back of the CEO's head.

    7. Re:Why would anyone use JavaScript?! by pdvalentini6650 · · Score: 3, Informative

      When you are fluent in one language you speak that language even if there are better options.

    8. Re:Why would anyone use JavaScript?! by Anonymous Coward · · Score: 0

      As if this is somehow different in older generations that see their pet language as the hammer.

    9. Re:Why would anyone use JavaScript?! by Anonymous Coward · · Score: 0

      I would have to agree. Every one wants to use the new fangled language and then boast, 'do you know flappyfluffyflum'? It is a new language that uses creates RESTful Lambda functions ...

      I partly blame the C++ standards committee for being graybeards and taking too long to add features, which made people invent practical languages. I also blame Java for not living up to expectations as a Browser Language, I blame Sun Microsystems because despite all the PhDs and MBAs they hired, they failed to be Apple in the 1990s (when they had all the technology Apple has now - Audio compression, Unix, compilers, great CPUs) ... Sun Microsystems was an innovative company that aspired to be boring. SGI was an innovative company that aspired to be snobs, their hardware was to expensive ...

      My rant is done.

    10. Re:Why would anyone use JavaScript?! by SavedLinuXgeeK · · Score: 2

      I'm not sure how JavaScript would be that different than any other scripting language (Perl/Ruby/Python/PHP/Groovy), and those seem to have viable web ecosystems Not 100% sure where the hate for JS is coming from. Unless it's a disdain for scripting languages in general. That would generally leave you with C#/Java and Java, historically, has been the only cross platform solution, and the language has stagnated heavily over the last decade (though 1.8 and 1.9 are showing signs of life).

      --
      je suis parce que j'aime
    11. Re:Why would anyone use JavaScript?! by Junta · · Score: 1

      The problem being is that they use the other repositories in the same way. Sure you *can* download and go, but overwhelmingly, people use the automated install.

      Meaning that if people 'pip install' a package of mine that has a dependency, the chances are that my dependencies are such that you'll get latest of 'whatever' without verification and potentially without any test.

      Either more people or at least louder people are doing this more and more. This is a problematic strategy for the same reasons a rolling-release distro is a problem. It's good to minimize the time it takes to get new shiny things, but brings significant risks.

      Note there also is an annoyingly vocal camp that believes once you get '100% coverage' in unit tests and CI, your users will never have a reason to refrain from an upgrade again, so they tend to be all for this new world. Ignoring the fact that '100% coverage', while having a concrete meaning, is not as comprehensive as it sounds, and that unit tests can be just as flawed as anything else.

      Long story short, we have a lot of good practices, that people have a bit *too* much faith in.

      The good news, is that based on my experience, the vast majority of folks are doing things the good old stable boring way, but there's not much point in going out and advocating for 'old and boring'.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    12. Re:Why would anyone use JavaScript?! by Junta · · Score: 1

      My primary gripe with Javascript is that it really shows it was a scripting language for light use to liven up browser content a little bit, and overused from there.

      It's a serviceable language, obviously, but the same factors that have Perl tempting developers to make hard to maintain code are present in Javascript (a whole slew of syntaxes for the identical thing), though it's a bit more extreme in Javascript. Also a tendency for certain functionality to look almost like an accidental behavior (e.g. 'object oriented programming' done strictly through closures). E.g. it is good practice to put your entire script into a single function (because that's the only way to have script scoped variables). If you have a function written one way, 'this' refers to your calling context, you write it another way this is more typical, as well as having your closure bind 'this' to another name (commonly 'self') or calling .bind() on your function definition to bind this to something.... Though use arrow expressions and then have people complain because it won't work in their browser.... Of course you can do nice things with it and commonality trumps having to put up with a few oddities. For some it's even a bit fun to understand the myriad approaches, but if you are trying to find some functionality, there's so many patterns that might have been used it complicates such a search.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    13. Re:Why would anyone use JavaScript?! by SavedLinuXgeeK · · Score: 4, Interesting

      Javascript has some terribly bad parts (as does perl and php) and I would concur that languages like Python/Ruby seemed to be planned in entirety a bit more. I would recommend looking at ES2015+, the next revision of the Javascript. It does a lot to curb those issues (JS actually has a "strict" mode that handles some of the gotchas), and ES2015 adds proper module support, as well as a standard class syntax.

      These features have been in use for years by transpilers (to cover the gap between agreement on a new language feature and the time before it is adopted by the runtimes). Typescript is an even more powerful extension of ES2015 that adds compile-time type analysis/verification but generates nearly perfect idiomatic ES2015 code.

      --
      je suis parce que j'aime
    14. Re:Why would anyone use JavaScript?! by gweihir · · Score: 2

      Because cheap code monkeys cannot write real code.

      Sad, but true. We do not have to few coders. We have far too many and most of them bad.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    15. Re:Why would anyone use JavaScript?! by Junta · · Score: 1

      The problem being:
      A) It's of limited comfort if you have to support a lot of browsers, with uneven support. Less dysfunctional than it used to be, but for example a KeyboardEvent to this day won't have a 'key' attribute in most *new* Webkit/Blink browsers, despite it being around for years.

      B) A lot of the syntax for new things have to settle for approaches that are compatible with existing syntax. For example, requesting strict is a bare string 'use strict' string just hanging out. Arrow expression syntax is fine for a 'lambda', but it's also a suggested strategy for making 'this' behave more like programmers coming from other languages expect,at which point it looks really clunky.

      In general, I appreciate what Javascript does, but it is a bit tiring to hear a lot of people making it sound more 'all better' than it really is.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    16. Re:Why would anyone use JavaScript?! by phantomfive · · Score: 1

      I can sort of understand using JavaScript in the browser. After all, it's the only option.

      With WebAssembly, soon it won't be the only option in the browser. You'll be able to use APL for browser programming (if you can find a good keyboard somewhere).

      --
      "First they came for the slanderers and i said nothing."
    17. Re:Why would anyone use JavaScript?! by SavedLinuXgeeK · · Score: 1

      From a runtime environment, I agree there are lots of "quirks", and the DOM is one of the worst cross-platform interfaces of all time. Less of a contract and more of wishes and hopes. ES2015 really does focus on syntax (e.g. "use strict" is default when using modules and not required). "this" has always been a gotcha, but that is part of a language where the function is the unit context. I actually like that about Javascript (though I realize not everyone does). For that reason "let" was also introduced to provide more normal behavior for scoping per what others expect coming from other languages.

      I don't think it will ever be a "Java" or "C#" but it isn't necessarily a bad thing as lot of people seem to be happy with it's design and how it works.

      --
      je suis parce que j'aime
    18. Re:Why would anyone use JavaScript?! by __aaclcg7560 · · Score: 1

      I know how to use a hammer, therefore everything is a nail.

      As someone who worked 20+ years in Silicon Valley from software testing to help desk to computer security, the hammer as a solution to all my problems is one of my greatest weakness. I'm constantly asking myself how I can do my job better to avoid using the hammer, especially when the hammer have proven itself to be less effective over time. Most people don't want to change, keep hammering away at the problems, and wonder why they're making less money.

    19. Re:Why would anyone use JavaScript?! by Junta · · Score: 1

      Oh, I personally have found 'this' to be quite useful as it works in a number of scenarios (in the original application of futzing about with the DOM, the value of this is highly relevant). It's just an interesting example of offering multiple behaviors in different contexts. If you use an arrow expression, then this is similar to the concept as found elsewhere. If you use bind(), then this is always whatever gets bound (which can be an entirely different thing altogether).

      I still maintain that as a language for operating on things inside a web browser, it's adequate, but going Node.JS is a direction of which that I personally am not a fan.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    20. Re:Why would anyone use JavaScript?! by __aaclcg7560 · · Score: 1

      It baffles my mind how somebody would go out of their way to use such an awful language when there are so many better options available.

      Most people don't consider PHP to be a better option.

    21. Re:Why would anyone use JavaScript?! by Anonymous Coward · · Score: 0

      It's called Windows 10. You get updates when ever MS decides to push them out and without any Q/A testing (they did get rid of all the Q/A testers didn't they?) so when a hacker decides to play "Thermal Nuclear War" who's going to win?

    22. Re:Why would anyone use JavaScript?! by SavedLinuXgeeK · · Score: 2

      As a server side language, I'm extremely torn. I've actually been using Typescript pretty heavily lately (and decorators), and it makes the code I write not too far off from the Spring/Java code I would generally write. My biggest concern with NodeJS is the maturity of the ecosystem, and how it plays with enterprise software development. One of my goto examples is LDAP support. There were a handful of libraries (circa 2014) that sort of worked, but had gaps, and ultimately required doing some odd trickery to work. The analog to Java would have been one or two libraries that are mature and just work.

      I personally find NodeJS is generally a fine experience, but the ecosystem (which is what the story is about) is just lacking structure that other languages have. It will mature, but may be a lot of pain along the way. The other day I had to choose between Python and NodeJS for a utility I was writing, and I went with Python because batteries were included, and I was afraid of trying to figure out how to include dependencies on the remote host in a consistent and manner.

      --
      je suis parce que j'aime
    23. Re:Why would anyone use JavaScript?! by KGIII · · Score: 1

      With a few exceptions, namely being the myriad choices available today that were not available not so very long ago.

      --
      "So long and thanks for all the fish."
    24. Re:Why would anyone use JavaScript?! by KiloByte · · Score: 1

      Most people don't consider PHP to be a better option.

      One could name perl or python... but then, compared to node.js and PHP, assembler and brainfuck are better choices.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    25. Re:Why would anyone use JavaScript?! by __aaclcg7560 · · Score: 1

      One could name perl or python...

      I'm using a Python-based static website generator for my website. No more MySQL or PHP attacks from hackers in Russia and Asia. Being able to load web pages in three seconds is also a nice bonus.

    26. Re:Why would anyone use JavaScript?! by slashdice · · Score: 1

      Node.js is for people too stupid to learn PHP.

      --
      Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
    27. Re:Why would anyone use JavaScript?! by DarkTempes · · Score: 1

      npm does not require you to install packages from the registry and your application's package.json dependencies do not either.

      For production you can very easily have your own internal git server hosting your packages and dependencies, at specific verified versions.
      Or if you don't like git you could have an internal SSL/TLS server hosting tarballs of all of the packages/dependencies.

      The npm registry makes sharing packages easy but nothing says you have to use code straight from that to production.
      Hell, you don't even have to use npm if you don't want to.

      And javascript on a server can make sense for something like making an web service API that spits out JSON data (and since browsers are limited to javascript you're generally going to want your data in JSON.)
      JSON is already, obviously, native to javascript and thus very easy to use, you can reduce duplication of effort and manpower by having the same knowledge requirements on the client/server, and in my experience it's a bit annoying to shift gears when thinking in multiple languages on the same project.
      Basically, using the same language for everything can reduce complexity which every resource I've ever read stresses as a good thing.
      Let me emphasize that can. If you look at node.js like a hammer and every problem starts to look like a nail then you're not going to have a good time.

      And for people who just hate javascript because it's javascript: yes, javascript has annoying quirks.
      But all languages have annoying quirks and I find scripting languages in general make you pay a toll for their convenience. Perl, php, python, lua, bash, ruby, etc are not perfect for everything either.
      The toll is generally worth it but it does give us something to bitch and moan about.

    28. Re:Why would anyone use JavaScript?! by FrozenGeek · · Score: 1

      More to the point, we have far too many coders who are not interested in the craft. They are interested in a paycheck and that's where their interest ends. They are not interested in increasing the depth or breadth of their knowledge and abilities. Compounding the problem, we have far too many management types who are not at all interested in code done right as long as it's done by the deadline.

      --
      linquendum tondere
    29. Re:Why would anyone use JavaScript?! by Anonymous Coward · · Score: 0

      The new coolness can't be bogged down by the old hand stuff. They are so busy pushing the outside edge of the envelope that they can't be bothered to do a little bit of research and side step the obvious issues that have already occurred in similar projects in the past.

  4. How do we know it hasn't already? by Anonymous Coward · · Score: 4, Insightful

    How do we know that such techniques haven't already been used?

    Even if they fix these flaws, I think every single line of code in every single version of every single npm package will need to be reviewed by a team of security experts.

  5. Good thing leftpad broke it, then! by BenJeremy · · Score: 2

    Petulant developers save the internets!

  6. Javascript and security? by Anonymous Coward · · Score: 5, Insightful

    Wait... there are people who run Javascript code, on a server, as root? Untrusted Javascript code they don't control to boot? Uhhh, wow.

    1. Re:Javascript and security? by El_Muerte_TDS · · Score: 3, Insightful

      wget -O- https://example.org/install.sh | sh

      is a very common installation method presented by various tools (or via curl). In most cases you even need to run them as root due to the fact that the creators of those tools do not understand how to have their software work as non-root users.

      For example:
      https://toolbelt.heroku.com/de...
      https://docs.docker.com/linux/...
      https://nodejs.org/en/download...

    2. Re:Javascript and security? by Anonymous Coward · · Score: 2, Insightful

      I tend to see "curl" more often than "wget -O-", but it's the same problem.

      And when a software project recommends

      curl (some url) | sh

      I assume that the developers arrogant or incompetent.

      When the project recommends

      curl (some url) | sudo sh

      I assume that the developers are incompetent or malicious.

      But I'm a greybeard.

      The sad thing is that I've met bright, young developers who don't see it as a problem. "That's how the Internet works," they say, pointing at Javascript on the web. (I grind my teeth at JS+HTTP == web == Internet, but that's a separate issue.)

      After all, if your customers have enabled Javascript, they've already given up the idea of curating the code that runs on their system. There's no review, approval, QA, or audit trail. And if your customer base is okay with that (as 99% of the technical folks seem to be), why should you be the one to take on the additional work?

      And once your organization is okay with that thinking, then the curl/wget thing follows naturally. Same mindset and acceptance of risk.

      After all, being careful will just slow you down and let your competitor beat you in the market.

      It's almost enough to make one cheer the blackhats.

    3. Re:Javascript and security? by leptons · · Score: 2

      Wait... there are people who run Ruby code, on a server, as root? Untrusted Ruby code they don't control to boot? Uhhh, wow.

      Wait... there are people who run PHP code, on a server, as root? Untrusted PHP code they don't control to boot? Uhhh, wow.

      Wait... there are people who run Python code, on a server, as root? Untrusted Python code they don't control to boot? Uhhh, wow.

      FTFY...

      It isn't about the language, it's about package management. Singling out Javascript makes you look like an idiot because you don't understand the problem.

    4. Re:Javascript and security? by Anonymous Coward · · Score: 0

      It's very much about language. Node.js enabled client-side "devs" who knew some Javascript because of jQuery to suddenly start making server side apps. I know a few of such types.

      As opposed to Python, Ruby, and I'd dare even say *some* PHP devs, who had to pass through a certain learning process, where they picked up knowledge about MVC, templating, separation of concerns, SQL injections, security and similar stuff...

    5. Re:Javascript and security? by Anonymous Coward · · Score: 0

      90% of devs are clueless and dangerous.

      100% of Javascript devs are clueless and dangerous.

      Yes, 100%... all of them.

  7. I am becoming wary of npm by Anonymous Coward · · Score: 1

    npm as a concept seems susceptible to failures of different kinds. If I were to build a long-life system around Node.js, this could be a problem.

    1. Re: I am becoming wary of npm by Anonymous Coward · · Score: 0

      "Becoming"?! The use of JavaScript didn't scare the shit out of you in the first place?!

  8. Not really. Javascript breaks production by raymorris · · Score: 5, Interesting

    I don't think this is really applicable to any other language. With any other language, since roughly the 1950s, standard practice has been to test code, often in two or three steps, THEN deploy it to production after your developers and your QA team have signed off on it.

    With Javascript and node.js, you declare the name of some external package you'll use and it constantly fetches the newest version, with the newest bugs, directly onto production. You never see, never mind test, the code before it runs on your production systems. With any other language, you'd upgrade production to a known, vetted version only occasionally. If there was an issue the community hadn't already caught, hopefully you would catch problems in testing.

    We saw a similar problem last week - somebody removed their package from the repository and that broke everyone's production systems.

    This approach may sound insane. Because it is.

    1. Re:Not really. Javascript breaks production by phantomfive · · Score: 1

      Part of the problem (as I understand it) is that NPM will run arbitrary code as part of the installation process, which is where the worm is able to install itself in every other package, and get ready for uploading.

      That's not really an issue for something like Maven because:
      A) Maven doesn't run arbitrary code as part of the installation process
      B) If you modify a library you downloaded in Maven, the library won't get re-uploaded again for everyone else to download immediately. Maven doesn't really have the cyclical 'upload-download' sort of thing that NPM does.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Not really. Javascript breaks production by SavedLinuXgeeK · · Score: 1

      Maven has the same problem in the SNAPSHOT dependencies, as they are free to be updated in the standard cycles. You also have to consider that the Maven plugins run in the same space as the user (and are pulled from the same dependency repositories). This makes maven just as susceptible with one major caveat. There are multiple federated repositories and publishing to one of those repositories requires reputation, and hosting your own repository (without reputation) is like downloading untrusted APKs on Android.

      --
      je suis parce que j'aime
    3. Re:Not really. Javascript breaks production by Anonymous Coward · · Score: 1

      Ray, you are understanding the mechanics of it correctly, but the issue is that npm isn't something you _should be using on a production system in order to pull in code. you're correct, its insane to do that. as, imo, its insane to blame the tool for the antics of its users.

      getting all the fiddly bits of a node.js app into the right places so that you can run and/or build multiple apps with different versions of packages pretty much means (ass-u-me-s?) that you want to do your testing/review in such a way that you 'upgrade' production by tagging and pulling from a multi-repo-repo. its shortcutting that mess, i mean, trying to simplify its complexity to the point where you break things, thats insane.

    4. Re:Not really. Javascript breaks production by gweihir · · Score: 1

      "Insane" indeed. Nobody with at east a shred of understanding for software-engineering would ever do such a thing. It explains a lot about the broken nature of most JavaScript though.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    5. Re:Not really. Javascript breaks production by Anonymous Coward · · Score: 0

      The problem you described is not an issue with JavaScript. I've worked with JS for over a decade and I always make sure I have a local copy of the source files I am using in my code. My scripts don't pull from third-party servers because any network outage or code removal on their end would kill my website. That scenario would be, as you pointed out, completely insane.

      The problem is not with the tools (ie JavaScript) it is with incredibly stupid developers who are not mirroring (ie controlling) the code they rely on.

    6. Re:Not really. Javascript breaks production by __aaclcg7560 · · Score: 2

      With any other language, since roughly the 1950s, standard practice has been to test code, often in two or three steps, THEN deploy it to production after your developers and your QA team have signed off on it.

      As a Software QA test intern, I found a crash bug on the test server that I could easily reproduced 100% of the time. My manager could not no matter how many times I showed him how to do so. Since he couldn't reproduce it all, he signed off the update to the production servers. The bug crashed the production servers immediately. The engineers discovered a deep flaw in the code, pulled the production servers offline for three days, and the company lost $250K in revenues. My internship wasn't renewed and I wasn't hired full time (much to the disappointment of my manager). One-third of the staff got laid off a month after I left so the company could recover the lost revenues. That started a death spiral for the project.

      With Javascript and node.js, you declare the name of some external package you'll use and it constantly fetches the newest version, with the newest bugs, directly onto production.

      The copy-and-paste script kiddies haven't figured out that they need to host local copies of those files with their program files or on a CDN.

    7. Re:Not really. Javascript breaks production by KGIII · · Score: 2

      It's not like they assigned themselves that score. He needn't justify shit for you.

      --
      "So long and thanks for all the fish."
    8. Re:Not really. Javascript breaks production by Anonymous Coward · · Score: 1

      With Javascript and node.js, you declare the name of some external package you'll use and it constantly fetches the newest version

      Wrong. With Javascript and Node.js you can use the "require" function to load packages that you have already installed (per project or globally), but it doesn't fetch anything from the Internet for you. That's what tools such as npm are for.

      While npm is bundled with Node.js, but using Javascript and Node.js doesn't magically cause npm to be used. If you don't want to use it then don't use it.

      With any other language, since roughly the 1950s, standard practice has been to test code, often in two or three steps, THEN deploy it to production after your developers and your QA team have signed off on it.

      That's actually how it works with npm too. Use npm install to fetch the dependencies you want to use (which recursively gets the dependencies' dependencies too, because that's the whole point of a dependency resolver) all neatly inside a subdirectory of your project. You can then test your project and deploy it. There's no automatic fetching of dependency updates unless a person (or a service somebody sets up) tells npm to check for updates. But you'd almost never want to do that directly on production.

    9. Re:Not really. Javascript breaks production by Gr8Apes · · Score: 1

      Maven has the same problem in the SNAPSHOT dependencies, ...This makes maven just as susceptible with one major caveat. There are multiple federated repositories and publishing to one of those repositories requires reputation, and hosting your own repository (without reputation) is like downloading untrusted APKs on Android.

      So, Maven suffers from the exact same problem? Great, glad we cleared that up, since "trust" for this type of crap just isn't good enough. It's why even when I have to use Maven as an ineffective build tool, the dependencies are all loaded onto a private repository that trusts no one and has no external connections. Why on earth would I trust my codebase to outside third parties?

      --
      The cesspool just got a check and balance.
    10. Re:Not really. Javascript breaks production by Gr8Apes · · Score: 2

      Unfortunately the majority of the script kiddies, sorry, "rockstar ninjas" coding javascript don't have a clue what anything other than "file" means in your statement. They are insane, by our standards. And yes, I know where of I speak, as I'm having "fun" bringing a modified JS library into our client side framework for a new web client. To call it a pain in the ass would make counting parens in LISP a joy by comparison. It's exactly the regurgitated half-digested vomit I'd expect to come out of a bunch of script kiddies. The final fixed version will probably wind up not having saved me any time over writing the entire component from scratch, although the promise was there until I actually exercised the functionality we needed. Yes, I offered the fixes back up the chain. Apparently JS people (including NodeJS) don't really care about correctly functioning code.

      --
      The cesspool just got a check and balance.
    11. Re:Not really. Javascript breaks production by Thiarna · · Score: 1

      In my opinion, JavaScript is Lisp reinvented very badly. That it is so popular and important as a programming language says something interesting about how standards emerge. I was starting to feel that this opinion just showed how out of touch I was with things, but the recent issues with NPM seem to show a serious lack of insight or experience in the communities pushing js on the server side. I can't believe there are so many seemingly competent developers advocating that it is a good thing to have packages that consist of a single line function, and that's before even looking at the security and governance issues with NPM itself.

    12. Re: Not really. Javascript breaks production by Stewie241 · · Score: 2

      What can happen is including npm install as part of your deployment process. Depending on how tightly you specify your dependencies this could result in packages getting updated to versions that have not been tested with your code by simply redeploying (or maybe somebody has put this in as part of the flex up process, so you end up with new app servers with slightly different code than older app servers.

      There are many ways to solve this, but it can get overlooked until you get bitten in the ass and deploy code that isn't what you thought you were because some package dev somewhere released a package upgrade.

    13. Re:Not really. Javascript breaks production by SavedLinuXgeeK · · Score: 1

      I do the same. We have a private repo that proxies (and stores) all copies of everything we use so that we won't lose access to them. It's kind of a bear, but on the Maven side, it acts as a network proxy for our entire dev team, though the overall benefits aren't that high.

      --
      je suis parce que j'aime
    14. Re:Not really. Javascript breaks production by SkunkPussy · · Score: 1

      Its worth pointing out that when you pull in a package from npm, there is no guarantee that its the package you expected to pull in. We also saw this week that the npm administrator is perfectly happy to change the package that's represented by a particular name.

      --
      SURELY NOT!!!!!
    15. Re:Not really. Javascript breaks production by myowntrueself · · Score: 1

      My internship wasn't renewed and I wasn't hired full time (much to the disappointment of my manager). One-third of the staff got laid off a month after I left so the company could recover the lost revenues. That started a death spiral for the project.

      You dodged a bullet. I just hope you have a decent job now.

      --
      In the free world the media isn't government run; the government is media run.
    16. Re:Not really. Javascript breaks production by __aaclcg7560 · · Score: 1

      You dodged a bullet. I just hope you have a decent job now.

      The internship was 20 years ago. I didn't dodge the Great Recession, where I was out of work for two years, underemployed for six months (working 20 hours per month), and filed for Chapter Seven bankruptcy. I'm in my second year of government IT and the prime contract is fully funded for the next three years.

    17. Re:Not really. Javascript breaks production by Anonymous Coward · · Score: 0

      Even a cursory look at the packaging file's documentation shows that you can specify specific version(s) for your dependencies: https://docs.npmjs.com/files/package.json

    18. Re:Not really. Javascript breaks production by Anonymous Coward · · Score: 0

      Doesn't matter, because it's scalable and non-blocking and runs in the cloud and, and and, .....

      You use node to build MVPs and hope someone buys you out before anyone notices your software sucks!

    19. Re:Not really. Javascript breaks production by Gr8Apes · · Score: 1

      To be honest, this entire experience with Maven and Gradle I've had over the past 8 years and multiple projects has brought me full circle back to potentially using Ant with Ivy, as that cleanly separates dependency management and builds and doesn't require contortions to get simple multiple build targets executed. Multi-module multiple target builds are anything but trivial with either Maven or Gradle.

      --
      The cesspool just got a check and balance.
    20. Re:Not really. Javascript breaks production by Anonymous Coward · · Score: 0

      You can create your own private repository, copy the packages that you need there and and make it the default npm registry.
      It is a bit laborious, but relatively trivial.

      Also you can use npm shrinkwrap to lock the versions of all your package dependencies.

    21. Re:Not really. Javascript breaks production by Anonymous Coward · · Score: 0
      Gotta love how much Slashdot is a Java circlejerk. Let's break this down, shall we.

      With Javascript and node.js, you declare the name of some external package you'll use and it constantly fetches the newest version, with the newest bugs, directly onto production.

      Why would you even consider doing it. When you declare your dependencies in your package.json, you can lock the major or minor version or all. If you don't, you will get the latest applicable version when you fetch your dependencies. If you want to lock your versions before deploying (which any sane developer would do), you'd use npm's shrinkwrap feature https://docs.npmjs.com/cli/shr...

      You never see, never mind test, the code before it runs on your production systems.

      What does testing have anything to do with Javascript/node? There's plenty of test frameworks out there for it, and the vast majority of dependencies include a bunch of tests, which are run before being able to publish them.

      We saw a similar problem last week - somebody removed their package from the repository and that broke everyone's production systems.

      I don't understand why this would break a production system. If you remove a package from maven's repo, you won't be able to fetch it either, same thing here. If you fetch your dependencies from a third party on a production system, you're an idiot, and that's applicable to any language or frameworks.

  9. The issue with dep managers and version wildcards by Anonymous Coward · · Score: 2, Insightful

    I argue this with other devs a lot. Dependency managers, *especially* if you use version wildcards, are asking for trouble. Keep more of a handle on what your dependencies are, and only move versions if there's a compelling reason (security update, huge performance boost, etc).

  10. * to the best of my understanding. Details may be by raymorris · · Score: 4, Informative

    The above post is my (small) understanding of the issue. I'm sure node.js fans will point out a detail that I missed. I'm no expert on Node.js because as someone else pointed out, you use Javascript in the browser, despite it's many flaws, because you have no choice. On the server side, there are several much better options, so it would seem that only people too lazy to learn a server-side language would use Javascript on the server (or maybe some other special case).

  11. Re:* to the best of my understanding. Details may by Anonymous Coward · · Score: 4, Funny

    I'm sure node.js fans will point out a detail that I missed.

    Nah, they'll just copy and paste someone elses reply that they found on StackOverflow.

  12. Not specific to Javascript by Junta · · Score: 2

    CPAN, PyPI, RubyGems, et al all encourage this behavior in a manner that enables a particular language developer.

    Similarly, prolifiretaion of other enabling technologies (e.g. copr, ppa, etc repositories or dockerhub hosted images) have similar implications at different levels.

    The thing is once upon a time, this was all a pain in the ass, to be tolerated until you would do the packaging all nice and neat. These rather nice things all came about because people didn't want to tolerate the pain in the ass of tracking all these dependencies just to get started, and suddenly pulling in some arbitrary library from the internet is not much more complex than a single include/import/use/whatever statement.

    So far so good, until people stop using it as something to get started and/or something to get their personal setup going, and started advocating fast and loose references as a way of life for production setups and delivering to third parties. There's an assumption baked into all these setups that code only ever gets better over time, and it's best to get 'latest' no matter what (even in the face of who knows what attempts to change things, with bugs and interface changes and all).

    --
    XML is like violence. If it doesn't solve the problem, use more.
    1. Re:Not specific to Javascript by Anonymous Coward · · Score: 1

      Not really. Every module in CPAN have test that are automatically executed by cpan before being install (make test), also it doesn't force you to update anything if the module doesn't requiere the latest STABLE version of its dependencies which often it doesn't because Perl is a relatively stable language (unlike say, Ruby on Rails).

    2. Re:Not specific to Javascript by Junta · · Score: 1

      have test that are automatically executed by cpan before being install (make test)

      most, not all. Additionally, unit tests are not going to be perfect. Particularly since it is a self-test. If they are being used in some way they don't realize, the tests may miss something. Ditto for applying the 'STABLE' moniker. A developer can go nuts and call it 'STABLE'.

      Things in CPAN are just as capable as anything else at screwing up downstream users, and I have seen it bite folks. Due to longevity, things in CPAN are a bit more likely to be utterly stagnant compared to npm, which is a pretty volatile set of stuff.

      It continues to be good practice to provide your dependencies alongside your code, rather than letting the end user assemble 'latest and greatest', unless your dependency is known to be maintained by an appropriately conservative entity (e.g. CentOS/et al, apart from perhaps EPEL, which can be a bit more aggressive). Beware of arbitrary ppa/copr/obs repoes as the policy behind each may be different.

      --
      XML is like violence. If it doesn't solve the problem, use more.
  13. Re:The issue with dep managers and version wildcar by Anonymous Coward · · Score: 0

    version numbers lockdown ftw!

  14. Why the Javascript hate here? by Anonymous Coward · · Score: 1

    I'm not a young hipster. I'm an oldie who has worked in a dozen or more languages over the years. Starting with Algol back in the day. I have worked on all kinds of systems from industrial control, safety critical avionic flight controls, CAD systems, and yes the web.

    I was very surprised to find out a few years ago that the stupid Javascript language, you know that simplistic and slow scripting language use by web-monkeys to respond to mouse events and animate useless crap in the browser, is actually quite sophisticated. It has had features from the start that C++ and Java are only recently catching up with, in their clunky ways.

    JS has performance. As an experiment I re-implemented a simple server side process in JS that was previously C++. Bugger me the JS version was nearly as fast, much simpler, much easier to maintain and extend. There was no going back after that, everything I do is server side JS now.

    No I won't use it for serious compute intensive tasks. Bu then I would not use Java or PHP or whatever for that either. Use the right tool for the job and all that.

    Yes, npm has it's problems. Yes one should not be running any random code downloaded from the net willy-nilly on ones servers. These considerations apply to all languages as far as I can tell, unless you are crafting all of your code with no dependence on external libraries or operating system.

    Somebody here said testing was the answer. Sure testing is a damn good idea but really, if the is some rogue code hiding in some module the module may work perfectly well in every test you can throw at it. Until one day it is triggered and wakes up to do whatever it does.

    My conclusion: JS is a great server side language. Keep you wits about you when using other peoples code.

       

    1. Re:Why the Javascript hate here? by Anonymous Coward · · Score: 0

      I was very surprised to find out a few years ago that the stupid Javascript language, you know that simplistic and slow scripting language use by web-monkeys to respond to mouse events and animate useless crap in the browser, is actually quite sophisticated. It has had features from the start that C++ and Java are only recently catching up with, in their clunky ways.

      If You compare javascript to C++ or Java, You have already failed. Different languages exist for different purposes. Next up, let's compare COBOL vs SQL to see which one creates the better GUI applications.

      JS has performance. As an experiment I re-implemented a simple server side process in JS that was previously C++. Bugger me the JS version was nearly as fast, much simpler, much easier to maintain and extend. There was no going back after that, everything I do is server side JS now.

      Either it was too simple or it was a really bad C++.

      No I won't use it for serious compute intensive tasks. Bu then I would not use Java or PHP or whatever for that either. Use the right tool for the job and all that.

      Exactly. Javascript is a language that was created to allow users punch a monkey on an ad. Then people started to use it for serious things, because it became a language of the most popular VM on the planet. Not for its features, elegance of design, ease of maintenance, speed of execution -- it exists because it is bundled with every browser.

      My conclusion: JS is a great server side language.

      I'm really sorry to hear that that is Your conclusion. Not only that, in this very post You have agreed that You would not use it for CPU intensive tasks, which is exaclty one of the reason for server side. Please rethink Your position.

    2. Re:Why the Javascript hate here? by leptons · · Score: 2

      You're the only other sane person in this thread. I know this is slashdot, and it's full of anti-javascript hatred to it's core, but all these comments overlook that this isn't a javascript problem, this is a package manager problem which other languages also have. Nothing about this is really specific to javascript at all, but it's an all-too-convenient reason to bash javascript yet again in an online forum that has jumped the shark many years ago.

    3. Re:Why the Javascript hate here? by Anonymous Coward · · Score: 0

      Any reason is good to hate on Node.js/JS here. Slashdot is filled with veterans that are scared that things are changing rapidly and they'll be left out, so they try to convince everyone around that whatever they're used to is better. It's like your mom telling you not to buy a Toyota Yaris because it's a bad car. She can't tell you why, but if there's a recall on a door handle, you damn well know she'll be more than happy to tell you "SEE, I TOLD YOU IT WAS A BAD CAR".

  15. Re:* to the best of my understanding. Details may by Anonymous Coward · · Score: 0

    A language is only as good as the person using it. "Better" options are just user preference, node.js is a perfectly capable back end.

  16. Re: * to the best of my understanding. Details may by Billly+Gates · · Score: 2

    But only node.js can be a total rockstar language man

    --
    http://saveie6.com/
  17. Rust never Sleeps by kybred · · Score: 1

    Where's the "Why don't they use Rust" guy?

    1. Re:Rust never Sleeps by Anonymous Coward · · Score: 0

      Having dinner with the Dart guy

    2. Re: Rust never Sleeps by Anonymous Coward · · Score: 0

      its web scale.

  18. Re:The issue with dep managers and version wildcar by Junta · · Score: 2

    It really depends on the real audience.

    What I like to do is offer two paths to download. One via a channel like CPAN or such, and as a package repository. If someone asks 'how to run the code' I say 'add this package repository (yum/apt) that we support and maintain', and there we are strict about the dependencies, mirroring, updating, and testing them. There's a dependency that sees a major release? Good for them, they aren't in the repository until they get tested. The users of the yum/apt get priority support-wise because it's much less variation to contend with and sort out.

    If a developer wants to build something themselves and grabs it from the CPAN/PyPI/whathaveyou, I let them get the 'latest and greatest' knowing that they are better enabled to cope with the risk and sort through. The hope is that they would, in turn, do the appropriate effort to make a *supportable* distribution of their project, but if they don't, it's on them rather than me.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  19. Re:* to the best of my understanding. Details may by Anonymous Coward · · Score: 2, Interesting

    Capable, yes, in that it executes code, the best option, pretty much never.

    I take a polyglot approach to backend development and I've yet to find a case where node.js was actually the best tool. This is not user preference, this is understanding the tools you use. I've yet to find anyone using node.js who is competant in more than just javascript.

  20. Re:* to the best of my understanding. Details may by Anonymous Coward · · Score: 0

    Your incompetence is peeking out from your saggy-ass pants. JavaScript is no better and no worse than other programming languages in the hands of competent programmers.

    Javascript is the bastard two-headed stepchild of VisualBasic and Perl, and just about as "good" as you'd expect that to be: not very. It's fine for fetching new material from a server or twiddling the DOM, but other than that, no, it's just not very good.

  21. Re:* to the best of my understanding. Details may by Anonymous Coward · · Score: 4, Interesting

    Your comments read like a confused mess. It saddens me they have both been modded so highly. But ill informed JS hate has always ridden high in these parts.

    Firstly, neither Javascript nor Node do anything you describe, and laying the accusations solely at the feet of Javascript itself is just laughable. Like blaming paper for having had a bad novel printed on it. Javascript is just code, a bunch of text files sitting in a directory. Node processes/runs that code when you tell it to. It'll either exit out on completion or keep going if that's what you've set up your code to do. That's it.

    The problems you describe are with a third entity, Node Package Manager (NPM) which, while now included with Node, is not Node, does not run when Node does and is merely a tool you can choose to use (or, apparently, abuse) as you see fit to install and manage external (or even internal) packages. Those packages in turn are again just Javascript - text files sitting in a directory that will be processed by Node if your code calls that dependency.

    I have no desire to explain out further basics of NPM, but needless to say my experience has been, of course, entirely different to what you describe. NPM is not some rampaging beast updating shit behind your back without telling you (unless you actually are running NPM directly on your production servers - in which case, shame on you). The symptoms you describe actually suggest the opposite. Someone changed the packages.json file and everyone else failed to run npm to update the local packages to match after getting latest. So you all went out of sync with whoever made that change. That's a failure in your deployment and testing strategies, nothing more.

  22. Re:* to the best of my understanding. Details may by Anonymous Coward · · Score: 0

    You're not wrong, but at the same time you're not right. It's definitely possible, and even common to do things the way you say. But as the summary itself points out, that's a fault of developer choice rather than an inherent flaw. Anything released for production in any way -should- have specific version numbers set, in which case node uses those versions and the problem talked about here isn't actually a problem.

  23. Re:* to the best of my understanding. Details may by Anonymous Coward · · Score: 0

    You're interfering with the Java/Spring/Maven/etc. circle jerk. Get out.