Wednesday, March 30, 2016

NPM and Security


So I decided to expand my learning a bit with npm and just as I start diving into it,  lo and behold, one of the major tenants of Open Source has been abused, "Trust".  An individual unpublished a bunch of their popular modules, which promptly broke a many developer builds.    Not only did this cause an uproar, but also some serious discussions about the inherent security issues of the current npm community process.    

Right now it's very easy for a npm newcomer to just run "npm install some_package" that was previously a trusted source, but is now compromised and end up with nefarious code that could seriously affect their system.  If you work with github at all, you might download a project that has many npm module dependencies, enough that going through a serious code review before you try to launch it would take a considerable amount of time.  

IMHO, here's what I think needs to happen, assuming it can be communicated effectively with enough advanced warning.  Admittedly, I'm very new to npm, so some of my suggestions may not be perfectly tuned, so please forgive me. 
  • On npmjs.com, make it easy to flag a module that has an issue.  You have to be a member to flag and set a threshold on the number of flags before it's deactivated and sent for review.  Additionally add a new parameter to the npm config that enables the npm install to ignore flagged modules with a level threshold setting.    Typical warning messages would occur on install of a flagged module.
  • Consider changing  --ignore-scripts   to --enable-scripts with a configuration setting that can be changed to the old behavior.  
  • Breakup the main repo into multiple repos consisting of;
    • Core modules that are provided by the npm team.   Other npm modules could be added to the core only through a vetting process after submission by the author.  Once submitted and included, all rights transfer over to the npm team.
    • Move all other modules to a developer  repo, also owned by the npm team.    A developer would need to specifically add that repo to their configuration.  

No comments:

Post a Comment