NPM is down due to Cloudflare Workers outage
npm installs are failing for many due to cloudflare outage. No report on npm side yet
UPDATE: npm status has been updated to reflect issues https://status.npmjs.org
UPDATE: npm status has been updated to reflect issues https://status.npmjs.org
6 comments
[ 0.25 ms ] story [ 26.0 ms ] threadThey would just need to run their own IPFS client, so every NPM module is at least pinned by NPM. And then users who do an npm install could have the option to be a part of the P2P pool, which would essentially just spin a light IPFS client on their side to pin the modules downloaded.
The hash table associating each npm module => IPFS link could then be duplicated on other hosts (AWS, Google) and consulted as fallback if Cloudflare is down.
Or even, this strategy could be used to reduce bandwidth costs even in day-to-day operations.
There are three major types of risk in software supply chain:
This last one is often ignored. It's less sensational and "nothing ever goes away from the Internet, right? Right???"There are all kinds of nasty examples of dependencies going away. The two big patterns are:
The ideal is to have your build process be hermetic, not just from when you kick off the build but over a longer period of time. At the very least have an artifact management solution that you control as a caching proxy.I'd like to see the major cloud providers caching all the major package repos inside their networks.
I'd also like to see multiple CDNs for every major package ecosystem.
I highly recommend reading https://slsa.dev