The latest articles on DEV Community by Mark (@m4rk9696). https://dev.to/m4rk9696 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F111095%2F1dfbb9f8-2b82-4d88-a552-efa4350aa2fb.png https://dev.to/m4rk9696 en Mark Tue, 27 Nov 2018 14:23:26 +0000 https://dev.to/m4rk9696/npm-we-all-knew-this-would-happen-eventually-16fl https://dev.to/m4rk9696/npm-we-all-knew-this-would-happen-eventually-16fl <p>I remember reading <a href="https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5">this article</a> when it first came you in Medium</p> <p>Some highlights from the article</p> <blockquote> <p>The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all.</p> <p>Although this is all made up, it worries me that none of this is hard.</p> <p>There’s no shortage of smart, nasty people out there, and 580,000 npm packages. It seems to me that the odds are better than even that at least one of those packages has some malicious code in it, and that if it’s done well, you would never even know.</p> </blockquote> <p>It's dated to Jan 6 2018, nine months later we have this <br> <a href="https://github.com/dominictarr/event-stream/issues/116">I don't know what to say.</a></p> <p>This all reminds me of <a href="https://en.wikipedia.org/wiki/Murphy%27s_law">Murphy's Law</a>.</p> <p>I know there is already a <a href="https://dev.to/nepeckman/how-do-we-improve-security-in-the-npm-ecosystem-3hmj">post</a> discussing about how to improve security, but what worries me the most is how <strong>toxic</strong> the Github thread became. Quoting them here would get me banned.</p> <p>I know this is <strong>a very very serious issue</strong>, but let's say your new to open-source or coding in general and you finally manage to make a project that is useful to the community. </p> <p>One day you open your repository to find ~500 comments, people shouting at how you screwed up big time and you don't know why. That isn't the best community experience.</p> <p>I've always thought the <a href="https://opensource.org/licenses/MIT">MIT license</a> mentioned that this can happen</p> <blockquote> <p>THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND</p> </blockquote> <p>I personally was using <a href="https://github.com/electron/electron">Electron</a> before from <a href="https://dev.to/tux0r">tux0r</a> from this community pointed out <a href="https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2018-1000136---Electron-nodeIntegration-Bypass/">this</a></p> <blockquote> <p>This makes XSS particularly dangerous, as an attacker's payload can allow do some nasty things such as require in the child_process module and execute system commands on the client-side</p> </blockquote> <p><a href="https://dev.to/tux0r/comment/6gh3">Link to the actual comment</a>, a small shout out thanks</p> <p>Big shots do screw up</p> <ul> <li><a href="https://en.wikipedia.org/wiki/OpenSSL#Notable_vulnerabilities">OpenSSL</a></li> <li><a href="https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)">Spectre</a></li> <li><a href="https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)">Meltdown</a></li> </ul> <p>What pops to my mind is <a href="https://youtu.be/v678Em6qyzk?t=388">this from Donald Knuth</a></p> <blockquote> <p>Err <br> and err <br> and err again <br> but less <br> and less <br> and less</p> </blockquote> discuss npm security javascript