10 comments

[ 5.3 ms ] story [ 287 ms ] thread
Hey HN,

In light of this week’s discussion on the corrupted NPM packages colors/fakers ( https://news.ycombinator.com/item?id=29863672 ) the article describes one of our security features that enforces a delay before new versions from upstreams (like npmjs) are allowed in an organization’s private registry.

This puts a safety barrier between your organization and “the latest” versions, allowing you and the open source community time to react when things like this happens.

Most people seem to agree that something needs to be done in regards to how npm dependencies are managed, the problem is finding a solution that people can agree on…

We believe this solution comes with a lot of security benefits, without creating massive barriers that negatively impact developers day-to-day work.

But will this also delay important security fixes and patches?
The idea is that the safety delay would protect your organization from automatically (and in many cases unintentionally) updating to a new compromised dependency version, where you are unaware of a problem.

In the case with security fixes and patches, you would be aware that a security issue exists and, if needed, could manually add the security patch either to the same registry or to another registry where you have complete control over the versions allowed.

Oh, I see it. I didn't quit get that part correctly.
A valid point, but from my view there are two scenarios:

1. You have a known security bug in one of your dependencies that is discovered.

If it is a serious bug you need to check if you are affected and make sure to use the right version and remove the faulty version from your registries. In this case any private npm registry will happily allow you to manually upload the correct version.

If your "security" is that you rely on your dependencies to be automatically updated when you happen to rebuild your product then sure this will increase your exposure time.

If it is not serious then it does not matter.

2. Somebody has uploaded something malicious (with some very high profile cases of late)

Then this might save you. Given that the community finds the malicious code before your delay period runs out.

Yeah, it all comes down to workflow and standard operating procedures.
Totally agree with you, i think it's time to think carefully and immediately start using services like Vulert(https://bit.ly/336DZub) that tracks your open-source softwares for free and notifies you in real-time if any seccurity issue is found within your applciation. it's free.

atleast in this way we can secure ourselves from supply chain attacks

yeah, it's just the beggining of this, you will see supply chain attacks will increase more than 100% just in 2022, in short whole internet is at risk, it's time to think carefully and immediately start using services like Vulert(https://bit.ly/336DZub) that tracks your open-source softwares for free and notifies you in real-time if any seccurity issue is found within your applciation. it's free.

Let me know what's your thought on it.

The risk with relying on notifications is that it's retroactive and you are already exposed. Instead of attempting to stop threats before they enter your supply chain.
yeah agree, but with the help of real time notification you can move really quickly i think.